Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name
:Professional Cloud Security Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:324 Q&As
Last Updated
:May 26, 2026
Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions &
Answers
Question 171:
You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and
Google Cloud experience.
What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?
A. Security Command Center B. Firewall Rules Logging C. VPC Flow Logs D. Firewall Insights
D. Firewall Insights
Explanation/Reference:
https://cloud.google.com/network-intelligence-center/docs/firewall-insights/concepts/overview#shadowed-firewall-rules Firewall Insights analyzes your firewall rules to detect firewall rules that are shadowed by other rules. A shadowed rule is a firewall rule that has all of its relevant attributes, such as its IP address and port ranges, overlapped by attributes from one or more rules with higher or equal priority, called shadowing rules.
Question 172:
Your organization's record data exists in Cloud Storage. You must retain all record data for at least seven years. This policy must be permanent.
What should you do?
A. 1. Identify buckets with record data. 2. Apply a retention policy, and set it to retain for seven years. 3. Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs. B. 1. Identify buckets with record data. 2. Apply a retention policy, and set it to retain for seven years. 3. Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission. C. 1. Identify buckets with record data. 2. Enable the bucket policy only to ensure that data is retained. 3. Enable bucket lock. D. 1. Identify buckets with record data. 2. Apply a retention policy and set it to retain for seven years. 3. Enable bucket lock.
D. 1. Identify buckets with record data. 2. Apply a retention policy and set it to retain for seven years. 3. Enable bucket lock.
Question 173:
In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard
Which options should you recommend to meet the requirements?
A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module. B. Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances. C. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections. D. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.
A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.
Explanation/Reference:
https://cloud.google.com/security/compliance/fips-140-2-validated Google Cloud Platform uses a FIPS 140-2 validated encryption module called BoringCrypto (certificate 3318) in our production environment. This means that both data in
transit to the customer and between data centers, and data at rest are encrypted using FIPS 140-2 validated encryption.
The module that achieved FIPS 140-2 validation is part of our BoringSSL library.
Question 174:
An administrative application is running on a virtual machine (VM) in a managed group at port 5601 inside a Virtual Private Cloud (VPC) instance without access to the internet currently. You want to expose the web interface at port 5601 to users and enforce authentication and authorization Google credentials.
What should you do?
A. Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall. Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application. B. Modify the VPC routing with the default route point to the default internet gateway. Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance. C. Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application. D. Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials. Modify the VPC firewall to allow access from IAP network range.
D. Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials. Modify the VPC firewall to allow access from IAP network range.
Explanation/Reference:
Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials. Modify the VPC firewall to allow access from IAP network range.
This approach allows you to expose the web interface securely by using Identity-Aware Proxy (IAP), which provides authentication and authorization with Google credentials. The HTTP Load Balancer can distribute traffic to the VMs in the managed group, and the VPC firewall rule ensures that access is allowed from the IAP network range.
Question 175:
During a routine security review, your team discovered a suspicious login attempt to impersonate a highly privileged but regularly used service account by an unknown IP address. You need to effectively investigate in order to respond to this potential security incident. What should you do?
A. Enable Cloud Audit Logs for the resources that the service account interacts with. Review the logs for further evidence of unauthorized activity. B. Review Cloud Audit Logs for activity related to the service account. Focus on the time period of the suspicious login attempt. C. Run a vulnerability scan to identify potentially exploitable weaknesses in systems that use the service account. D. Check Event Threat Detection in Security Command Center for any related alerts. Cross-reference your findings with Cloud Audit Logs.
D. Check Event Threat Detection in Security Command Center for any related alerts. Cross-reference your findings with Cloud Audit Logs.
Explanation/Reference:
Security Command Center (SCC) is Google Cloud's security and risk management platform. Event Threat Detection within SCC is specifically designed to detect suspicious activity, such as unauthorized logins, and generates alerts based on predefined threat patterns. This tool would help you quickly identify if the suspicious login attempt is part of a known threat pattern.
After checking for alerts in Event Threat Detection, cross-referencing with Cloud Audit Logs will give you detailed insights into the actions performed by the service account, allowing you to investigate the extent of any potential breach.
Question 176:
You are creating an internal App Engine application that needs to access a user's Google Drive on the user's behalf. Your company does not want to rely on the current user's credentials. It also wants to follow Google-recommended practices.
What should you do?
A. Create a new Service account, and give all application users the role of Service Account User. B. Create a new Service account, and add all application users to a Google Group. Give this group the role of Service Account User. C. Use a dedicated G Suite Admin account, and authenticate the application's operations with these G Suite credentials. D. Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
D. Create a new service account, and grant it G Suite domain-wide delegation. Have the application use it to impersonate the user.
Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements:
1.
The Cloud Storage bucket in Project A can only be readable from Project B.
2.
The Cloud Storage bucket in Project A cannot be accessed from outside the network.
3.
Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket.
What should the security team do?
A. Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket. B. Enable VPC Service Controls, create a perimeter around Projects A and B. and include the Cloud Storage API in the Service Perimeter configuration. C. Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks. D. Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.
B. Enable VPC Service Controls, create a perimeter around Projects A and B. and include the Cloud Storage API in the Service Perimeter configuration.
Explanation/Reference:
VPC Peering is between organizations not between Projects in an organization. That is Shared VPC. In this case, both projects are in same organization so having VPC Service Controls around both projects with necessary rules should be fine. https://cloud.google.com/vpc-service-controls/docs/overview
Question 178:
Your multinational organization is undergoing rapid expansion within Google Cloud. New teams and projects are added frequently. You are concerned about the potential for inconsistent security policy application and permission sprawl across the organization. You must enforce consistent standards while maintaining the autonomy of regional teams. You need to design a strategy to effectively manage IAM and organization policies at scale, ensuring security and administrative efficiency. What should you do?
A. Create detailed organization-wide policies for common scenarios. Instruct teams to apply the policies carefully at the project and resource level as needed. B. Delegate the creation of organization policies to regional teams. Centrally review these policies for compliance before deployment. C. Define a small set of essential organization policies. Supplement these policies with a library of optional policy templates for teams to leverage as needed. D. Use a hierarchical structure of folders. Implement template-based organization policies that cascade down, allowing limited customization by regional teams.
D. Use a hierarchical structure of folders. Implement template-based organization policies that cascade down, allowing limited customization by regional teams.
Question 179:
You run a web application on top of Cloud Run that is exposed to the internet with an Application Load Balancer. You want to ensure that only privileged users from your organization can access the application. The proposed solution must support browser access with single sign-on. What should you do?
A. Change Cloud Run configuration to require authentication. Assign the role of Cloud Run Invoker to the group of privileged users. B. Create a group of privileged users in Cloud Identity. Assign the role of Cloud Run User to the group directly on the Cloud Run service. C. Change the Ingress Control configuration of Cloud Run to internal and create firewall rules to allow only access from known IP addresses. D. Activate Identity-Aware Proxy (IAP) on the Application Load Balancer backend. Assign the role of IAP-secured Web App User to the group of privileged users.
D. Activate Identity-Aware Proxy (IAP) on the Application Load Balancer backend. Assign the role of IAP-secured Web App User to the group of privileged users.
Explanation/Reference:
IAP for Authentication and Authorization: IAP provides a centralized way to control access to your Cloud Run service, ensuring that only authenticated users can reach it. It integrates seamlessly with Cloud Identity for user management and
supports single sign-on (SSO) for a smooth user experience.
Role-Based Access Control: By assigning the IAP-secured Web App User role to the group of privileged users, you can precisely control who has access to the application.
Question 180:
You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency.
What should you do?
A. Create a site-to-site VPN from your corporate network to Google Cloud. B. Configure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs. C. Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP-secured Tunnel User to the administrators. D. Create a jump host instance with public IP Manage the instances by connecting through the jump host.
C. Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP-secured Tunnel User to the administrators.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.