PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 101:

    A company's application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.

    What should you do?

    A. Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.
    B. Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam-account=IAM_ACCOUNT -- key=NEW_KEY.
    C. Create a new key, and use the new key in the application. Delete the old key from the Service Account.
    D. Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

  • Question 102:

    You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your Google Cloud VPCs based on packet header information. However, you want the capability to explore network flows and their payload to aid investigations. Which Google Cloud product should you use?

    A. Marketplace IDS
    B. VPC Flow Logs
    C. VPC Service Controls logs
    D. Packet Mirroring
    E. Google Cloud Armor Deep Packet Inspection

  • Question 103:

    You need to audit the network segmentation for your Google Cloud footprint. You currently operate Production and Non-Production infrastructure-as-a-service (IaaS) environments. All your VM instances are deployed without any service account customization.

    After observing the traffic in your custom network, you notice that all instances can communicate freely "despite tag-based VPC firewall rules in place to segment traffic properly " with a priority of 1000.

    What are the most likely reasons for this behavior?

    A. All VM instances are missing the respective network tags.
    B. All VM instances are residing in the same network subnet.
    C. All VM instances are configured with the same network route.
    D. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999.
    E. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.

  • Question 104:

    How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?

    A. Send all logs to the SIEM system via an existing protocol such as syslog.
    B. Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.
    C. Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
    D. Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.

  • Question 105:

    You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:

    1.

    Must be cloud-native

    2.

    Must be cost-efficient

    3.

    Minimize operational overhead

    How should you accomplish this? (Choose two.)

    A. Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.
    B. Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.
    C. Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.
    D. Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.
    E. In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

  • Question 106:

    Your organization has an application hosted in Cloud Run. You must control access to the application by using Cloud Identity-Aware Proxy (IAP) with these requirements:

    1.

    Only users from the AppDev group may have access.

    2.

    Access must be restricted to internal network IP addresses.

    What should you do?

    A. Deploy a VPN gateway and instruct the AppDev group to connect to the company network before accessing the application.
    B. Create an access level that includes conditions for internal IP address ranges and AppDev groups. Apply this access level to the application's IAP policy.
    C. Configure firewall rules to limit access to IAP based on the AppDev group and source IP addresses.
    D. Configure IAP to enforce multi-factor authentication (MFA) for all users and use network intrusion detection systems (NIDS) to block unauthorized access attempts.

  • Question 107:

    Your organization has hired a small, temporary partner team for 18 months. The temporary team will work alongside your DevOps team to develop your organization's application that is hosted on Google Cloud. You must give the temporary partner team access to your application's resources on Google Cloud and ensure that partner employees lose access. If they are removed from their employer's organization. What should you do?

    A. Create a temporary username and password for the temporary partner team members. Auto-clean the usernames and passwords after the work engagement has ended.
    B. Create a workforce identity pool and federate the identity pool with the identity provider (IdP) of the temporary partner team.
    C. Implement just-in-time privileged access to Google Cloud for the temporary partner team.
    D. Add the identities of the temporary partner team members to your identity provider (IdP).

  • Question 108:

    You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC Service Controls mode should you use?

    A. Cloud Run
    B. Native
    C. Enforced
    D. Dry run

  • Question 109:

    You work for a banking organization. You are migrating sensitive customer data to Google Cloud that is currently encrypted at rest while on-premises. There are strict regulatory requirements when moving sensitive data to the cloud. Independent of the cloud service provider, you must be able to audit key usage and be able to deny certain types of decrypt requests. You must choose an encryption strategy that will ensure robust security and compliance with the regulations. What should you do?

    A. Utilize Google default encryption and Cloud IAM to keep the keys within your organization's control.
    B. Implement Cloud External Key Manager (Cloud EKM) with Access Approval, to integrate with your existing on-premises key management solution.
    C. Implement Cloud External Key Manager (Cloud EKM) with Key Access Justifications to integrate with your existing one premises key management solution.
    D. Utilize customer-managed encryption keys (CMEK) created in a dedicated Google Compute Engine instance with Confidential Compute encryption, under your organization's control.

  • Question 110:

    You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

    A. Google Cloud Armor
    B. Cloud NAT
    C. Cloud Router
    D. Cloud VPN

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.