Managing operations
Drill 20 practice questions focused entirely on Managing operations for the Google Cloud PCSE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A financial services company runs a CI/CD pipeline that pushes container images to Artifact Registry. Security requires that any image with a CRITICAL OS-package vulnerability must never be promoted to the production GKE cluster, while HIGH and below can proceed with tracking. The team already uses Binary Authorization with an attestor. What is the most effective way to automatically enforce this severity-based gate before deployment?
A financial services company must be able to prove exactly which principals read the contents of sensitive objects in a specific Cloud Storage bucket during forensic investigations. During a recent incident, the security team discovered that Cloud Logging showed no records of object reads, only administrative changes to the bucket configuration. They need read operations to be captured going forward with minimal blast radius. What should the team configure?
Your organization runs production workloads on a GKE cluster. Security policy requires that only container images built by the approved Cloud Build pipeline and scanned for vulnerabilities may be deployed. Developers must not be able to deploy arbitrary images pulled from public registries or built on their laptops. You need to enforce this at deploy time on the cluster. What should you implement?
A company runs microservices on Cloud Run. The security team wants to guarantee that only container images built by the organization's trusted Cloud Build pipeline and stored in a specific Artifact Registry repository can be deployed to production Cloud Run services. Developers must not be able to deploy arbitrary public images. What is the most effective way to enforce this deployment control?
Your organization enforces a Binary Authorization policy on a GKE cluster requiring attestations from your CI/CD pipeline. A security review reveals a concern: images that passed admission weeks ago may later be found to contain newly disclosed vulnerabilities, but they continue running in the cluster because the policy is only evaluated at Pod creation time. The security team wants ongoing assurance that running Pods still comply with the Binary Authorization policy, and to be alerted when they drift out of compliance, without blocking currently running workloads. What should you do?
Your organization uses Cloud Build to deploy applications to production Cloud Run services. The security team requires that any deployment targeting the production environment must be manually reviewed and explicitly approved by an authorized release manager before it executes, while builds to staging should continue to run automatically. You need to implement this control natively within the CI/CD pipeline with an auditable record of who approved each production deployment. What should you do?
Your organization runs CI/CD pipelines in Cloud Build to deploy applications to Cloud Run. A recent security review found that the pipelines use the default Cloud Build service account, which has broad Editor-level permissions across the project. A malicious commit could therefore let a build step create resources or modify IAM policies far beyond deployment needs. The security team wants to reduce the blast radius of a compromised build while keeping deployments functional. What is the most appropriate action?
A financial services company runs its container build pipeline in Cloud Build, pushing images to Artifact Registry. Auditors require cryptographic proof of how each image was built, including the source commit and build steps, so that downstream Binary Authorization policies can verify that images originate only from the trusted pipeline. The security team wants to enable this evidence with minimal custom tooling. What should they do?
A security team must centralize audit logs from all projects in an organization into a single BigQuery dataset for long-term analysis. They want the collection to automatically include any projects created in the future, and they must exclude high-volume Data Access logs from Cloud Storage to control BigQuery ingestion costs. Which approach meets all requirements with the least ongoing maintenance?
A security analyst must be alerted whenever any user downloads (creates) a service account key across the organization, because service account key creation is prohibited by policy except for one legacy break-glass workflow. The analyst wants near-real-time notification with minimal custom code, using data already present in Admin Activity audit logs. What is the most appropriate approach?
A security analyst at a financial services company must detect any interactive access to Compute Engine VM serial consoles, because attackers sometimes use them to bypass network-based controls and SSH logging. The organization already exports all audit logs to a central log bucket, but the analyst wants a near-real-time alert whenever serial console access is enabled or used on any VM in the organization. What is the most appropriate way to implement this detection?
Your security operations team wants to detect brute-force SSH login attempts against Compute Engine VMs across the organization. They need a repeatable, low-maintenance detection that produces findings in a central console alongside other threat findings, without deploying custom log parsing infrastructure. Which approach should you recommend?
A financial services company must retain all admin activity audit logs for 7 years to satisfy a regulatory requirement. Auditors demand assurance that no one — including project owners or the security team — can delete or shorten the retention of these logs during the retention period. The logs are currently stored in the default _Required log bucket. What should the security engineer do?
Your security operations team runs an on-premises Splunk SIEM and must ingest all Cloud Audit Logs from every project in your organization in near real time for correlation and alerting. The pipeline must be centrally managed, minimize per-project configuration, and stream logs continuously rather than in batch. Which approach should you implement?
Your security team stores audit logs in a centralized Cloud Logging log bucket in a dedicated logging project. An external compliance auditor needs read access to only the Data Access audit logs originating from one specific production project, but the log bucket also contains logs from dozens of other projects. You must grant the auditor visibility to just the relevant logs without duplicating or exporting the data elsewhere. What is the most appropriate approach?
A financial services company enforces a Binary Authorization policy on its production GKE cluster that requires images to carry an attestation from an approved attestor before they can run. During a severe outage at 2 a.m., the on-call engineer must urgently deploy a hotfix image that has not yet passed the attestation pipeline. Company policy allows emergency deployments but mandates that every such deployment be recorded and reviewed afterward. What is the recommended way to deploy the unattested image while preserving an auditable record?
A retailer runs a payment-processing microservice on a GKE cluster. The security team wants automatic detection of runtime threats inside running containers, such as a reverse shell being spawned or a suspicious binary that was added to a container image after deployment and then executed. Findings must appear alongside other cloud misconfiguration and vulnerability findings for triage. Which capability should the team enable?
Your platform team builds container images with Cloud Build and stores them in Artifact Registry before deploying to GKE. Security wants to be automatically notified whenever a newly pushed image contains a known CVE, without requiring developers to trigger manual scans or run third-party scanners in the pipeline. What should you do?
Your security operations team receives a Security Command Center finding indicating a Compute Engine VM in a production project is communicating with a known cryptomining command-and-control endpoint. The incident response runbook requires that you preserve volatile and disk evidence for forensic analysis while immediately stopping the malicious outbound traffic, and you must minimize the risk of the attacker detecting your response. Which sequence of actions best meets these requirements?
During an active investigation, your security team suspects that a compromised service account was used to modify and delete objects in a Cloud Storage bucket over the past several days. Legal requires that all relevant Cloud Logging entries be preserved in a tamper-resistant, immutable form for potential litigation, and the retention must survive any attempt by an attacker with project-level permissions to delete logs. Which approach best meets these requirements?
More PCSE practice
Keep going with the other Professional Cloud Security Engineer domains, or take a full timed mock exam.
← Back to PCSE overview