PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 11:

    Your organization is migrating a sensitive data processing workflow from on-premises infrastructure to Google Cloud. This workflow involves the collection, storage, and analysis of customer information that includes personally identifiable information (PII). You need to design security measures to mitigate the risk of data exfiltration in this new cloud environment. What should you do?

    A. Encrypt all sensitive data in transit and at rest. Establish secure communication channels by using TLS and HTTPS protocols.
    B. Implement a Cloud DLP solution to scan and identify sensitive information, and apply redaction or masking techniques to the PII. Integrate VPC SC with your network security controls to block potential data exfiltration attempts.
    C. Restrict all outbound network traffic from cloud resources. Implement rigorous access controls and logging for all sensitive data and the systems that process the data.
    D. Rely on employee expertise to prevent accidental data exfiltration incidents.

  • Question 12:

    Your company operates an application instance group that is currently deployed behind a Google Cloud load balancer in us-central-1 and is configured to use the Standard Tier network. The infrastructure team wants to expand to a second Google Cloud region, us-east-2. You need to set up a single external IP address to distribute new requests to the instance groups in both regions.

    What should you do?

    A. Change the load balancer backend configuration to use network endpoint groups instead of instance groups.
    B. Change the load balancer frontend configuration to use the Premium Tier network, and add the new instance group.
    C. Create a new load balancer in us-east-2 using the Standard Tier network, and assign a static external IP address.
    D. Create a Cloud VPN connection between the two regions, and enable Google Private Access.

  • Question 13:

    Your company's cloud security policy dictates that VM instances should not have an external IP address. You need to identify the Google Cloud service that will allow VM instances without external IP addresses to connect to the internet to update the VMs.

    Which service should you use?

    A. Identity Aware-Proxy
    B. Cloud NAT
    C. TCP/UDP Load Balancing
    D. Cloud DNS

  • Question 14:

    Your organization must comply with the regulation to keep instance logging data within Europe. Your workloads will be hosted in the Netherlands in region europe-west4 in a new project. You must configure Cloud Logging to keep your data in the country.

    What should you do?

    A. Configure the organization policy constraint gcp.resourceLocations to europe-west4.
    B. Set the logging storage region to eurcpe-west4 by using the gcloud CLI logging settings update.
    C. Create a new tog bucket in europe-west4. and redirect the _Def auit bucKet to the new bucket.
    D. Configure log sink to export all logs into a Cloud Storage bucket in europe-west4.

  • Question 15:

    For data residency requirements, you want your secrets in Google Clouds Secret Manager to only have payloads in europe-west1 and europe-west4. Your secrets must be highly available in both regions.

    What should you do?

    A. Create your secret with a user managed replication policy, and choose only compliant locations.
    B. Create your secret with an automatic replication policy, and choose only compliant locations.
    C. Create two secrets by using Terraform, one in europe-west1 and the other in europe-west4.
    D. Create your secret with an automatic replication policy, and create an organizational policy to deny secret creation in non-compliant locations.

  • Question 16:

    You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.

    Which document should you review to find the information?

    A. Google Cloud Platform: Customer Responsibility Matrix
    B. PCI DSS Requirements and Security Assessment Procedures
    C. PCI SSC Cloud Computing Guidelines
    D. Product documentation for Compute Engine

  • Question 17:

    An organization receives an increasing number of phishing emails. Which method should be used to protect employee credentials in this situation?

    A. Multifactor Authentication
    B. A strict password policy
    C. Captcha on login pages
    D. Encrypted emails

  • Question 18:

    You are running applications outside Google Cloud that need access to Google Cloud resources. You are using workload identity federation to grant external identities Identity and Access Management (IAM) roles to eliminate the maintenance and security burden associated with service account keys. You must protect against attempts to spoof another user's identity and gain unauthorized access to Google Cloud resources.

    What should you do? (Choose two.)

    A. Enable data access logs for IAM APIs.
    B. Limit the number of external identities that can impersonate a service account.
    C. Use a dedicated project to manage workload identity pools and providers.
    D. Use immutable attributes in attribute mappings.
    E. Limit the resources that a service account can access.

  • Question 19:

    You work for a large organization that is using Cloud Identity as the identity provider (IdP) on Google Cloud. Your InfoSec team has mandated the enforcement of a strong password with a length between 12 and 16 characters for all users. After configuring this requirement, users are still able to access the Google Cloud console with passwords that are less than 12 characters. You need to fix this problem within the Admin console. What should you do?

    A. Review each user's password configuration and reset existing passwords.
    B. Review the organization password management setting and select Enforce password policy at the next sign-in.
    C. Review each user's password configuration and select Enforce strong password.
    D. Review the organization password management setting and select Enforce strong password.

  • Question 20:

    Your Security team believes that a former employee of your company gained unauthorized access to Google Cloud resources some time in the past 2 months by using a service account key. You need to confirm the unauthorized access and

    determine the user activity.

    What should you do?

    A. Use Security Health Analytics to determine user activity.
    B. Use the Cloud Monitoring console to filter audit logs by user.
    C. Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.
    D. Use the Logs Explorer to search for user activity.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.