Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name
:Professional Cloud Security Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:324 Q&As
Last Updated
:May 26, 2026
Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions &
Answers
Question 221:
You need to centralize your team's logs for production projects. You want your team to be able to search and analyze the logs using Logs Explorer. What should you do?
A. Enable Cloud Monitoring workspace, and add the production projects to be monitored. B. Use Logs Explorer at the organization level and filter for production project logs. C. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a Cloud Storage bucket. D. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.
D. Create an aggregate org sink at the parent folder of the production projects, and set the destination to a logs bucket.
You can use aggregated sinks to route logs within or between the same organizations and folders to the following destinations: -Another Cloud Logging bucket: Log entries held in Cloud Logging log buckets.
Question 222:
Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way. What should you do?
A. Create a service account key and add it to the GitHub pipeline configuration file. B. Create a service account key and add it to the GitHub repository content. C. Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub. D. Configure workload identity federation to use GitHub as an identity pool provider.
D. Configure workload identity federation to use GitHub as an identity pool provider.
Question 223:
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?
A. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server. B. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server. C. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider. D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
B. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
Explanation/Reference:
https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-configuring-single-sign- on https://cloud.google.com/blog/products/identity-security/using-your-existing-identity-management-system- with-google-cloud-platform
Question 224:
You are the project owner for a regulated workload that runs in a project you own and manage as an Identity and Access Management (IAM) admin. For an upcoming audit, you need to provide access reviews evidence. Which tool should you use?
A. Policy Troubleshooter B. Policy Analyzer C. IAM Recommender D. Policy Simulator
Policy Analyzer lets you find out which principals (for example, users, service accounts, groups, and domains) have what access to which Google Cloud resources based on your IAM allow policies.
Question 225:
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?
A. Shared VPC Network with a host project and service projects B. Grant Compute Admin role to the networking team for each engineering project C. VPC peering between all engineering projects using a hub and spoke model D. Cloud VPN Gateway between all engineering projects using a hub and spoke model
A. Shared VPC Network with a host project and service projects
Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.
Question 226:
You are working with protected health information (PHI) for an electronic health record system. The privacy officer is concerned that sensitive data is stored in the analytics system. You are tasked with anonymizing the sensitive data in a way that is not reversible. Also, the anonymized data should not preserve the character set and length. Which Google Cloud solution should you use?
A. Cloud Data Loss Prevention with deterministic encryption using AES-SIV B. Cloud Data Loss Prevention with format-preserving encryption C. Cloud Data Loss Prevention with cryptographic hashing D. Cloud Data Loss Prevention with Cloud Key Management Service wrapped cryptographic keys
C. Cloud Data Loss Prevention with cryptographic hashing
You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)
A. The load balancer must be an external SSL proxy load balancer. B. Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes. C. The load balancer must use the Premium Network Service Tier. D. The backend service's load balancing scheme must be EXTERNAL. E. The load balancer must be an external HTTP(S) load balancer.
D. The backend service's load balancing scheme must be EXTERNAL. E. The load balancer must be an external HTTP(S) load balancer.
The backend service's load balancing scheme must be EXTERNAL, or EXTERNAL_MANAGED *** if you are using global external HTTP(S) load balancer ***.
Question 228:
Your organization is adopting Google Cloud and wants to ensure sensitive resources are only accessible from devices within the internal on-premises corporate network. You must configure Access Context Manager to enforce this requirement. These considerations apply:
1.
The internal network uses IP ranges 10.100.0.0/16 and 192.168.0.0/16.
2.
Some employees work remotely but connect securely through a company-managed virtual private network (VPN). The VPN dynamically allocates IP addresses from the pool 172.16.0.0/20.
3.
Access should be restricted to a specific Google Cloud project that is contained within an existing service perimeter.
What should you do?
A. Create an access level named "Authorized Devices." Utilize the Device Policy attribute to require corporate-managed devices. Apply the access level to the Google Cloud project and instruct all employees to enroll their devices in the organization's management system. B. Create an access level titled "Internal Network Only." Add a condition with these attributes: 1. IP Subnetworks: 10.100.0.0/16, 192.168.0.0/16 2. Device Policy: Require OS as Windows or macOS. Apply this access level to the sensitive Google Cloud project. C. Create an access level titled "Corporate Access." Add a condition with the IP Subnetworks attribute, including the ranges: 10.100.0.0/16, 192.168.0.0/16, 172.16.0.0/20. Assign this access level to a service perimeter encompassing the sensitive project. D. Create a new IAM role called "InternalAccess. Add the IP ranges 10.100.0.0/16, 192.16.0.0/16, and 172.16.0.0/20 to the role as an IAM condition. Assign this role to IAM groups corresponding to on-premises and VPN users. Grant this role the necessary permissions on the resource within this sensitive Google Cloud project.
C. Create an access level titled "Corporate Access." Add a condition with the IP Subnetworks attribute, including the ranges: 10.100.0.0/16, 192.168.0.0/16, 172.16.0.0/20. Assign this access level to a service perimeter encompassing the sensitive project.
Explanation/Reference:
Question 229:
You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?
A. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level. B. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level. C. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level. D. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.
B. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.
A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?
A. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket. B. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key. C. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key. D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
B. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.