Engineer Exam Questions And Correct
Answers (Verified Answers) Plus
Rationales 2026 Q&A | Instant
Download Pdf
Question 1
A company wants to enforce organization-wide security policies across all Google
Cloud projects. What should they use?
A. VPC Service Controls
B. Organization Policy Service
C. Cloud IAM Conditions
D. Security Command Center
B. Organization Policy Service
Rationale: Organization Policy Service allows centralized control over resources
across an entire Google Cloud organization. It enables administrators to define
constraints such as restricting resource locations, disabling services, or enforcing
security rules at scale. Unlike IAM, which focuses on access control, organization
policies enforce guardrails that apply consistently across folders and projects.
Question 2
Which Google Cloud service provides centralized visibility into security findings
and misconfigurations?
A. Cloud Asset Inventory
B. Security Command Center
,C. Cloud Logging
D. Cloud Monitoring
B. Security Command Center
Rationale: Security Command Center (SCC) is Google Cloud’s centralized security
and risk management platform. It aggregates findings from multiple security
sources, including misconfigurations, vulnerabilities, and threats. It provides a
single pane of glass for security posture management, unlike logging or
monitoring tools which focus on operational metrics rather than security
insights.
Question 3
What is the best way to enforce least privilege access in Google Cloud?
A. Use predefined roles only
B. Use primitive roles
C. Assign broad project-level roles
D. Create custom IAM roles with minimal permissions
D. Create custom IAM roles with minimal permissions
Rationale: Least privilege is achieved by granting only necessary permissions.
Custom IAM roles allow fine-grained control over permissions, ensuring users
and service accounts only access required resources. Predefined and primitive
roles are often too broad and violate least privilege principles.
Question 4
Which feature helps protect data in transit within Google Cloud?
A. Cloud KMS
B. TLS encryption
C. IAM roles
D. VPC Peering
,B. TLS encryption
Rationale: Data in transit is protected using Transport Layer Security (TLS),
which encrypts communication between services and users. Google Cloud
automatically enforces TLS for most services, ensuring confidentiality and
integrity during transmission. Cloud KMS is used for encryption at rest, not
transit.
Question 5
What is the primary purpose of Cloud KMS?
A. Manage network firewalls
B. Manage encryption keys
C. Monitor API usage
D. Control IAM permissions
B. Manage encryption keys
Rationale: Cloud Key Management Service (KMS) is used to create, store, and
manage cryptographic keys. These keys are used to encrypt and decrypt data
across Google Cloud services. It does not manage IAM or networking functions.
Question 6
Which Google Cloud feature provides network-level isolation between workloads?
A. IAM
B. VPC networks
C. Cloud Functions
D. Cloud Run
B. VPC networks
Rationale: Virtual Private Cloud (VPC) provides isolated networking
environments within Google Cloud. It allows segmentation of workloads,
, firewall rules, and private communication between resources. This isolation is
critical for secure architecture design.
Question 7
What is the best way to secure service-to-service authentication in Google Cloud?
A. API keys
B. Password authentication
C. Service accounts
D. SSH keys
C. Service accounts
Rationale: Service accounts provide identity for applications and workloads
rather than users. They enable secure, automated authentication between
services without human credentials, supporting fine-grained IAM control and
auditability.
Question 8
Which tool helps detect vulnerabilities in container images?
A. Cloud Build
B. Artifact Registry scanning
C. Cloud Logging
D. Cloud Armor
B. Artifact Registry scanning
Rationale: Artifact Registry includes vulnerability scanning for container images.
It detects known CVEs and security issues before deployment, helping prevent
insecure workloads from running in production environments.
Question 9
What does VPC Service Controls help prevent?