Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name
:Professional Cloud Security Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:324 Q&As
Last Updated
:May 26, 2026
Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions &
Answers
Question 151:
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?
A. Migrate the application into an isolated project using a "Lift and Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly. B. Migrate the application into an isolated project using a "Lift and Shift" approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly. C. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly. D. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
A. Migrate the application into an isolated project using a "Lift and Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Explanation/Reference:
Migrate the application into an isolated project using a "Lift and Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Question 152:
You work for an organization that handles sensitive customer data. You must secure a series of Google Cloud Storage buckets housing this data and meet these requirements:
1.
Multiple teams need varying access levels (some read-only, some read-write).
2.
Data must be protected in storage and at rest.
3.
It's critical to track file changes and audit access for compliance purposes.
4.
For compliance purposes, the organization must have control over the encryption keys.
What should you do?
A. Create IAM groups for each team and manage permissions at the group level. Employ server-side encryption and Object Versioning by Google Cloud Storage. Configure cloud monitoring tools to alert on anomalous data access patterns. B. Set individual permissions for each team and apply access control lists (ACLs) to each bucket and file. Enforce TLS encryption for file transfers. Enable Object Versioning and Cloud Audit Logs for the storage buckets. C. Use predefined IAM roles tailored to each team's access needs, such as Storage Object Viewer and Storage Object User. Utilize customer-supplied encryption keys (CSEK) and enforce TLS encryption. Turn on both Object Versioning and Cloud Audit Logs for the storage buckets. D. Assign IAM permissions for all teams at the object level. Implement third-party software to encrypt data at rest. Track data access by using network logs.
C. Use predefined IAM roles tailored to each team's access needs, such as Storage Object Viewer and Storage Object User. Utilize customer-supplied encryption keys (CSEK) and enforce TLS encryption. Turn on both Object Versioning and Cloud Audit Logs for the storage buckets.
Question 153:
Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?
A. Security Reviewer B. lAP-Secured Tunnel User C. lAP-Secured Web App User D. Service Broker Operator
C. lAP-Secured Web App User
Explanation/Reference:
IAP-Secured Tunnel User: Grants access to tunnel resources that use IAP. IAP-Secured Web App User:
Access HTTPS resources which use Identity-Aware Proxy, Grants access to App Engine, Cloud Run, and Compute Engine resources. https://cloud.google.com/iap/docs/managing-access#roles
Question 154:
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project. What should you do?
A. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation. B. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation. C. In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User. D. In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
A. Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
Your company is concerned about unauthorized parties gaining access to the Google Cloud environment by using a fake login page. You must implement a solution to protect against person-in-the-middle attacks.
Which security measure should you use?
A. Security key B. Google prompt C. Text message or phone call code D. Google Authenticator application
A. Security key
Explanation/Reference:
A security key is a physical device that you can use for two-step verification, providing an additional layer of security for your Google Account. Security keys can defend against phishing and man-in-the-middle attacks, making your login process more secure.
Question 156:
You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization. What should you do?
A. Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment. B. Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts. C. Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts. D. Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.
D. Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.
Explanation/Reference:
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_creation You can use the iam.disableServiceAccountCreation boolean constraint to disable the creation of new service accounts. This allows you to centralize management of service accounts while not restricting the other permissions your developers have on projects.
Question 157:
Your organization is implementing separation of duties in a Google Cloud project. A group of developers must deploy new code, but cannot have permission to change network firewall rules. What should you do?
A. Assign the network administrator IAM role to all developers. Tell developers not to change firewall settings. B. Use Access Context Manager to create conditions that allow only authorized administrators to change firewall rules based on attributes such as IP address or device security posture. C. Create and assign two custom IAM roles. Assign the deployer role to control Compute Engine and deployment-related permissions. Assign the network administrator role to manage firewall permissions. D. Grant the editor IAM role to the developer group. Explicitly negate any firewall modification permissions by using IAM deny policies.
C. Create and assign two custom IAM roles. Assign the deployer role to control Compute Engine and deployment-related permissions. Assign the network administrator role to manage firewall permissions.
Question 158:
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?
A. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability. B. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack. C. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library. D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.
Explanation/Reference:
There is mention about simulating in Web Security Scanner. "Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions." https://cloud.google.com/security-command-center/docs/ how-to-remediate-web-security-scanner-findings#xss Reference: https://cloud.google.com/security-scanner/docs/remediate-findings
Question 159:
You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?
A. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service. B. Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket. C. Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks. D. Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.
A. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your on-premises LDAP server to onboard hundreds of users.
You are required to:
1.
Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity.
2.
Disable any manually created users in Cloud Identity.
You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud.
What should you do next to complete this solution?
A. 1. Configure the option to suspend domain users not found in LDAP. 2. Set up a recurring GCDS task. B. 1. Configure the option to delete domain users not found in LDAP. 2. Run GCDS after user and group lifecycle changes. C. 1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP. 2. Set up a recurring GCDS task. D. 1. Configure the LDAP search attributes to exclude manually created Cloud identity users not found in LDAP. 2. Run GCDS after user and group lifecycle changes.
A. 1. Configure the option to suspend domain users not found in LDAP. 2. Set up a recurring GCDS task.
Explanation/Reference:
To achieve the requirement "Disable any manually created users in Cloud Identity", configure GCDS to suspend rather than delete accounts if user accounts are not found in the LDAP directory in GCDS. Ref: https://support.google.com/a/answer/7177267
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.