1. Home
  2. Google
  3. PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice Questions and Exam Preparation

PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :May 26, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 161:

    Your organization's financial modeling application is already deployed on Google Cloud. The application processes large amounts of sensitive customer financial data. Application code is old and poorly understood by your current software engineers. Recent threat modeling exercises have highlighted the potential risk of sophisticated side-channel attacks against the application while the application is running. You need to further harden the Google Cloud solution to mitigate the risk of these side-channel attacks, ensuring maximum protection for the confidentiality of financial data during processing, while minimizing application problems. What should you do?

    A. Enforce stricter access controls for Compute Engine instances by using service accounts, least privilege IAM policies, and limit network access.
    B. Implement a runtime library designed to introduce noise and timing variations into the application's execution which will disrupt side-channel attack.
    C. Migrate the application to Confidential VMs to provide hardware-level encryption of memory and protect sensitive data during processing.
    D. Utilize customer-managed encryption keys (CMEK) to ensure complete control over the encryption process.

  • Question 162:

    Your company must follow industry specific regulations. Therefore, you need to enforce customer- managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.

    What command should you execute?

    A. 1. organization poli-cy:constraints/gcp.restrictStorageNonCmekServices binding at: org1 2. policy type: allow 3. policy value: all supported services
    B. 1. organization policy: con-straints/gcp.restrictNonCmekServices binding at: org1 2. policy type: deny 3. policy value: storage.googleapis.com
    C. 1. organization policy: con-straints/gcp.restrictStorageNonCmekServices binding at: org1 2. policy type: deny 3. policy value: storage.googleapis.com
    D. 1. organization policy: con-straints/gcp.restrictNonCmekServices binding at: org1 2. policy type: allow 3. policy value: storage.googleapis.com

  • Question 163:

    You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?

    A. Upload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain Pll from the shared bucket.
    B. On the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll.
    C. On the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain Pll.
    D. Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect Pll, have the function move the objects into the shared Cloud Storage bucket.

  • Question 164:

    Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)

    A. Central management of routes, firewalls, and VPNs for peered networks
    B. Non-transitive peered networks; where only directly peered networks can communicate
    C. Ability to peer networks that belong to different Google Cloud Platform organizations
    D. Firewall rules that can be created with a tag from one peered network to another peered network
    E. Ability to share specific subnets across peered networks

  • Question 165:

    An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization's risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.

    What solution would help meet the requirements?

    A. Ensure that firewall rules are in place to meet the required controls.
    B. Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
    C. Network security is a built-in solution and Google's Cloud responsibility for SaaS products like G Suite.
    D. Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

  • Question 166:

    Your organization is migrating business critical applications to Google Cloud across multiple projects. You only have the required IAM permission at the Google Cloud organization level. You want to grant project access to support engineers from two partner organizations using their existing identity provider (IdP) credentials. What should you do?

    A. Create two single sign-on (SSO) profiles for the internal and partner IdPs by using SSO for Cloud Identity.
    B. Create users manually by using the Google Cloud console. Assign the users to groups.
    C. Create two workforce identity pools for the partner IdPs.
    D. Sync user identities from their existing IdPs to Cloud Identity by using Google Cloud Directory Sync (GCDS).

  • Question 167:

    Your organization has on-premises hosts that need to access Google Cloud APIs You must enforce private connectivity between these hosts minimize costs and optimize for operational efficiency What should you do?

    A. Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.
    B. Set up VPC peering between the hosts on-premises and the VPC through the internet.
    C. Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management. Service (KMS) key before you send it over the network.
    D. Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC with Private Google Access enabled.

  • Question 168:

    Your organization is using Security Command Center Premium as a central tool to detect and alert on security threats. You also want to alert on suspicious outbound traffic that is targeting domains of known suspicious web services. What should you do?

    A. Create a DNS Server Policy in Cloud DNS and turn on logs. Attach this policy to all Virtual Private Cloud networks with internet connectivity.
    B. Forward all logs to Chronicle Security Information and Event Management. Create an alert for suspicious egress traffic to the internet.
    C. Create a Cloud Intrusion Detection endpoint. Connect this endpoint to all Virtual Private Cloud networks with internet connectivity.
    D. Create an egress firewall policy with Threat Intelligence as the destination. Attach this policy to all Virtual Private Cloud networks with internet connectivity.

  • Question 169:

    Your organization processes sensitive health information. You want to ensure that data is encrypted while in use by the virtual machines (VMs). You must create a policy that is enforced across the entire organization. What should you do?

    A. Implement an organization policy that ensures that all VM resources created across your organization use customer-managed encryption keys (CMEK) protection.
    B. Implement an organization policy that ensures all VM resources created across your organization are Confidential VM instances.
    C. Implement an organization policy that ensures that all VM resources created across your organization use Cloud External Key Manager (EKM) protection.
    D. No action is necessary because Google encrypts data while it is in use by default.

  • Question 170:

    An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.

    Which Cloud Data Loss Prevention API technique should you use to accomplish this?

    A. Cryptographic hashing
    B. Redaction
    C. Format-preserving encryption
    D. Generalization

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.