Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name
:Professional Cloud Security Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:324 Q&As
Last Updated
:May 26, 2026
Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions &
Answers
Question 191:
You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine,
Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub.
Which option should you choose for this implementation?
A. Cloud External Key Manager B. Customer-managed encryption keys C. Customer-supplied encryption keys D. Google default encryption
B. Customer-managed encryption keys
Explanation/Reference:
With customer-managed encryption keys (CMEK), you have control over the encryption keys used to protect your data in Google Cloud Platform services such as Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. This ensures that you can manage and control the keys in a way that aligns with GDPR requirements and provides an additional layer of security for your data.
Question 192:
Your organization relies heavily on virtual machines (VMs) in Compute Engine. Due to team growth and resource demands, VM sprawl is becoming problematic. Maintaining consistent security hardening and timely package updates poses an increasing challenge. You need to centralize VM image management and automate the enforcement of security baselines throughout the virtual machine lifecycle. What should you do?
A. Use VM Manager to automatically distribute and apply patches to YMs across your projects. Integrate VM Manager with hardened, organization-standard VM images stored in a central repository. B. Configure the sole-tenancy feature in Compute Engine for all projects. Set up custom organization policies in Policy Controller to restrict the operating systems and image sources that teams are allowed to use. C. Create a Cloud Build trigger to build a pipeline that generates hardened VM images. Run vulnerability scans in the pipeline, and store images with passing scans in a registry. Use instance templates pointing to this registry. D. Activate Security Command Center Enterprise. Use VM discovery and posture management features to monitor hardening state and trigger automatic responses upon detection of issues.
A. Use VM Manager to automatically distribute and apply patches to YMs across your projects. Integrate VM Manager with hardened, organization-standard VM images stored in a central repository.
Question 193:
Your Google Cloud organization allows for administrative capabilities to be distributed to each team through provision of a Google Cloud project with Owner role (roles/ owner). The organization contains thousands of Google Cloud Projects Security Command Center Premium has surfaced multiple cpen_myscl_port findings. You are enforcing the guardrails and need to prevent these types of common misconfigurations.
What should you do?
A. Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0 0 0 0/0 with priority 0. B. Create a hierarchical firewall policy configured at the organization to deny all connections from 0 0 0 0/0. C. Create a Google Cloud Armor security policy to deny traffic from 0 0 0 0/0. D. Create a hierarchical firewall policy configured at the organization to allow connections only from internal IP ranges
B. Create a hierarchical firewall policy configured at the organization to deny all connections from 0 0 0 0/0.
Question 194:
You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?
A. Add the host project containing the Shared VPC to the service perimeter. B. Add the service project where the Compute Engine instances reside to the service perimeter. C. Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC. D. Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.
A. Add the host project containing the Shared VPC to the service perimeter.
(Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.
Question 196:
Your organization operates in a highly regulated environment and has a stringent set of compliance requirements for protecting customer data. You must encrypt data while in use to meet regulations. What should you do?
A. Enable the use of customer-supplied encryption keys (CSEK) keys in the Google Compute Engine VMs to give your organization maximum control over their VM disk encryption. B. Establish a trusted execution environment with a Confidential VM. C. Use a Shielded VM to ensure a secure boot with integrity monitoring for the application environment. D. Use customer-managed encryption keys (CMEK) and Cloud KSM to enable your organization to control their keys for data encryption in Cloud SQL.
B. Establish a trusted execution environment with a Confidential VM.
Explanation/Reference:
In a highly regulated environment with stringent compliance requirements for protecting customer data, encryption of data while in use (i.e., during processing) is a critical aspect of security. Google Cloud's Confidential VMs provide a trusted execution environment by encrypting data while it is being processed, which ensures that even Google Cloud and other external entities cannot access the data during its use. This level of protection is crucial in meeting strict compliance regulations related to data privacy and security.
Confidential VMs use hardware-based encryption to protect the integrity and confidentiality of data being processed, making it the best solution for scenarios where data must remain encrypted even while in use.
Question 197:
You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?
A. Set up an ACL with OWNER permission to a scope of allUsers. B. Set up an ACL with READER permission to a scope of allUsers. C. Set up a default bucket ACL and manage access for users using IAM. D. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.
D. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.
You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices. What should you do?
A. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level. B. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project. C. Grant your users the IAM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API. D. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.
A. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
Explanation/Reference:
Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints-constraints/compute.skipDefaultNetworkCreation
This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True. By default, a default network and supporting resources are automatically created when creating a Project resource.
Question 199:
You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?
A. Enable Private Google Access on the regional subnets and global dynamic routing mode. B. Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection. C. Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection. D. Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.
D. Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process. What should you do?
A. Use the Cloud Key Management Service to manage a data encryption key (DEK). B. Use the Cloud Key Management Service to manage a key encryption key (KEK). C. Use customer-supplied encryption keys to manage the data encryption key (DEK). D. Use customer-supplied encryption keys to manage the key encryption key (KEK).
C. Use customer-supplied encryption keys to manage the data encryption key (DEK).
Explanation/Reference:
This is a Customer-supplied encryption keys (CSEK). We generate our own encryption key and manage it on-premises. A KEK never leaves Cloud KMS.There is no KEK or KMS on-premises. Encryption at rest by default, with various key management options https://cloud.google.com/security/encryption-at-rest
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.