1. Home
  2. Google
  3. PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice Questions and Exam Preparation

PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :May 26, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 121:

    A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet. How should this be accomplished?

    A. Create a firewall rule to block internet traffic from the VM.
    B. Provision a NAT Gateway to access the Cloud Storage API endpoint.
    C. Enable Private Google Access on the VPC.
    D. Mount a Cloud Storage bucket as a local filesystem on every VM.

  • Question 122:

    You are routing all your internet facing traffic from Google Cloud through your on-premises internet connection. You want to accomplish this goal securely and with the highest bandwidth possible.

    What should you do?

    A. Create an HA VPN connection to Google Cloud Replace the default 0 0 0 0/0 route.
    B. Create a routing VM in Compute Engine Configure the default route with the VM as the next hop.
    C. Configure Cloud Interconnect with HA VPN Replace the default 0 0 0 0/0 route to an on-premises destination.
    D. Configure Cloud Interconnect and route traffic through an on-premises firewall.

  • Question 123:

    A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online. What should they do?

    A. Configure an SSL Certificate on an L7 Load Balancer and require encryption.
    B. Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
    C. Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.
    D. Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.

  • Question 124:

    Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

    A. Configure Secret Manager to manage service account keys.
    B. Enable an organization policy to disable service accounts from being created.
    C. Enable an organization policy to prevent service account keys from being created.
    D. Remove the iam.serviceAccounts.getAccessToken permission from users.

  • Question 125:

    A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.

    Which strategy should you use to meet these needs?

    A. Create an organization node, and assign folders for each business unit.
    B. Establish standalone projects for each business unit, using gmail.com accounts.
    C. Assign GCP resources in a project, with a label identifying which business unit owns the resource.
    D. Assign GCP resources in a VPC for each business unit to separate network access.

  • Question 126:

    For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in-scope" Nodes only. These Nodes can only contain the "in-scope" Pods. How should the organization achieve this objective?

    A. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope:true.
    B. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
    C. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
    D. Run all in-scope Pods in the namespace "in-scope-pci".

  • Question 127:

    Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (IAM) roles at the right resource level tor the developers and security team while you ensure least privilege.

    What should you do?

    A. 1 Grant logging, viewer rote to the security team at the organization resource level. 2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects.
    B. 1 Grant logging. viewer rote to the security team at the organization resource level. 2 Grant logging. admin role to the developer team at the organization resource level.
    C. 1 Grant logging.admin role to the security team at the organization resource level. 2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.
    D. 1 Grant logging.admin role to the security team at the organization resource level. 2 Grant logging.admin role to the developer team at the organization resource level.

  • Question 128:

    You manage a BigQuery analytical data warehouse in your organization. You want to keep data for all your customers in a common table while you also restrict query access based on rows and columns permissions. Non-query operations should not be supported.

    What should you do? (Choose two.)

    A. Create row-level access policies to restrict the result data when you run queries with the filter expression set to TRUE.
    B. Configure column-level encryption by using Authenticated Encryption with Associated Data (AEAD) functions with Cloud Key Management Service (KMS) to control access to columns at query runtime.
    C. Create row-level access policies to restrict the result data when you run queries with the filter expression set to FALSE.
    D. Configure dynamic data masking rules to control access to columns at query runtime.
    E. Create column-level policy tags to control access to columns at query runtime.

  • Question 129:

    Your organization uses Google Cloud to process large amounts of location data for analysis and visualization. The location data is potentially sensitive. You must design a solution that allows storing and processing the location data securely, minimizing data exposure risks, and adhering to both regulatory guidelines and your organization's internal data residency policies. What should you do?

    A. Enable location restrictions on Compute Engine instances and virtual disk resources where the data is handled. Apply labels to tag geographic metadata for all stored data.
    B. Use the Cloud Data Loss Prevention (Cloud DLP) API to scan for sensitive location data before any storage or processing. Create Cloud Storage buckets with global availability for optimal performance, relying on Cloud DLP results to filter and control data access.
    C. Create regional Cloud Storage buckets with Object Lifecycle Management policies that limit data lifetime. Enable fine-grained access controls by using IAM conditions. Encrypt data with customer-managed encryption keys (CMEK) generated within specific Cloud KMS key locations.
    D. Store data within BigQuery in a specified region by using dataset location configuration. Use authorized views and row-level security to enforce geographic access restrictions. Encrypt data within BigQuery tables by using customer-managed encryption keys (CMEK).

  • Question 130:

    You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:

    1.

    The master key must be rotated at least once every 45 days.

    2.

    The solution that stores the master key must be FIPS 140-2 Level 3 validated.

    3.

    The master key must be stored in multiple regions within the US for redundancy.

    Which solution meets these requirements?

    A. Customer-managed encryption keys with Cloud Key Management Service
    B. Customer-managed encryption keys with Cloud HSM
    C. Customer-supplied encryption keys
    D. Google-managed encryption keys

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.