S3 - Security, Encryption & Compliance

Question 1

Google’s Shared Responsibility model

Answer 1

Google secures the infrastructure; customers secure configurations, data, and access.

Question 2

the encryption layers in GCP

Answer 2

Encryption at rest (automatic), in transit (TLS), CMEK/CSEK (customer-controlled), optional app-level encryption.

Question 3

CMEK vs CSEK

Answer 3

CMEK = managed via Cloud KMS, audit-friendly; CSEK = you supply raw keys, not stored by Google, high risk.

Question 4

VPC Service Controls

Answer 4

A data perimeter preventing API-level data exfiltration from managed services.

Question 5

Private Google Access vs VPC-SC

Answer 5

PGA = private IP routing to Google APIs; VPC-SC = logical security perimeter for managed services.

Question 6

IAP vs Cloud Armor

Answer 6

IAP authenticates user identity for internal apps; Cloud Armor protects external endpoints from DDoS/web attacks.

Question 7

Binary Authorization

Answer 7

Verifies only signed container images are deployed (trust chain enforcement).

Question 8

Security Command Center (SCC)

Answer 8

Central threat and vulnerability monitoring dashboard for GCP.

Question 9

the 3 Cloud Audit Log types

Answer 9

Admin Activity, Data Access, System Events.

Question 10

an aggregated sink

Answer 10

Centralized export that routes logs from multiple projects/org to one destination (BigQuery or Storage).

Question 11

service securely stores API keys and passwords

Answer 11

Secret Manager.

Question 12

BeyondCorp

Answer 12

Google’s zero-trust model: every request verified for user, device, and context.

Question 13

service prevents data exfiltration

Answer 13

VPC Service Controls.

Question 14

service ensures only signed containers deploy

Answer 14

Binary Authorization.

Question 15

service provides DDoS protection

Answer 15

Cloud Armor.

Question 16

service provides centralized vulnerability insights

Answer 16

Security Command Center.

Question 17

enforce customer-controlled encryption keys

Answer 17

Enable CMEK for supported services and control via Cloud KMS IAM.

Question 18

role for encryption key usage

Answer 18

roles/cloudkms.cryptoKeyEncrypterDecrypter.

Question 19

Exam trap: “prevent insider copy of data from BigQuery.” — Correct answer?

Answer 19

Implement VPC Service Controls with Service Perimeter around BigQuery.

Question 20

achieve centralized audit trail

Answer 20

Create aggregated log sinks sending all Admin/Data logs to a Security Project.