Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name
:Professional Cloud Security Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:324 Q&As
Last Updated
:May 26, 2026
Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions &
Answers
Question 231:
You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?
A. Perform data masking with the DLP API and store that data in BigQuery for later use. B. Perform data redaction with the DLP API and store that data in BigQuery for later use. C. Perform data inspection with the DLP API and store that data in BigQuery for later use. D. Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
D. Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
Explanation/Reference:
Pseudonymization is a de-identification technique that replaces sensitive data values with cryptographically generated tokens. Pseudonymization is widely used in industries like finance and healthcare to help reduce the risk of data in use,
narrow compliance scope, and minimize the exposure of sensitive data to systems while preserving data utility and accuracy.
Your organization hosts a financial services application running on Compute Engine instances for a third- party company. The third-party company's servers that will consume the application also run on Compute Engine in a separate Google Cloud organization. You need to configure a secure network connection between the Compute Engine instances.
You have the following requirements:
1.
The network connection must be encrypted.
2.
The communication between servers must be over private IP addresses. What should you do?
A. Configure a Cloud VPN connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules. B. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules. C. Configure a VPC Service Controls perimeter around your Compute Engine instances, and provide access to the third party via an access level. D. Configure an Apigee proxy that exposes your Compute Engine-hosted application as an API, and is encrypted with TLS which allows access only to the third party.
B. Configure a VPC peering connection between your organization's VPC network and the third party's that is controlled by VPC firewall rules.
Explanation/Reference:
Google encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google or on behalf of Google. All VM-to-VM traffic within a VPC network and peered VPC networks is encrypted. https://cloud.google.com/docs/security/encryption-in- transit#cio-level_summary
Question 233:
Your organization must store highly sensitive data within Google Cloud. You need to design a solution that provides the strongest level of security and control. What should you do?
A. Use Cloud Storage with customer-supplied encryption keys (CSEK), VPC Service Controls for network isolation, and Cloud DLP for data inspection. B. Use Cloud Storage with customer-managed encryption keys (CMEK), Cloud DLP for data classification, and Secret Manager for storing API access tokens. C. Use Cloud Storage with client-side encryption, Cloud KMS for key management, and Cloud HSM for cryptographic operations. D. Use Cloud Storage with server-side encryption, BigQuery with column-level encryption, and IAM roles for access control.
C. Use Cloud Storage with client-side encryption, Cloud KMS for key management, and Cloud HSM for cryptographic operations.
Explanation/Reference:
When dealing with highly sensitive data, client-side encryption provides the strongest level of security because the data is encrypted before it is sent to Google Cloud, ensuring that Google cannot access the plaintext data. The use of Cloud KMS (Key Management Service) for managing encryption keys ensures that you maintain control over key management, and Cloud HSM (Hardware Security Module) adds an additional layer of protection by performing cryptographic operations in dedicated, tamper-evident hardware.
This solution ensures:
1.
Client-side encryption: Data is encrypted before reaching Google Cloud, so Google never has access to the unencrypted data.
2.
Cloud KMS: You manage the keys that encrypt and decrypt data, giving you control over key lifecycle and policies.
3.
Cloud HSM: For highly secure key storage and cryptographic operations, providing hardware-level security for cryptographic keys.
Question 234:
Your organization's Google Cloud VMs are deployed via an instance template that configures them with a public IP address in order to host web services for external users. The VMs reside in a service project that is attached to a host (VPC) project containing one custom Shared VPC for the VMs. You have been asked to reduce the exposure of the VMs to the internet while continuing to service external users. You have already recreated the instance template without a public IP address configuration to launch the managed instance group (MIG). What should you do?
A. Deploy a Cloud NAT Gateway in the service project for the MIG. B. Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG. C. Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend. D. Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.
C. Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.
Question 235:
Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.
This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?
A. Deterministic encryption B. Secure, key-based hashes C. Format-preserving encryption D. Cryptographic hashing
A. Deterministic encryption
Explanation/Reference:
"This encryption method is reversible, which helps to maintain referential integrity across your database and has no character-set limitations."
FPE provides fewer security guarantees compared to other deterministic encryption methods such as AES-SIV. For these reasons, Google strongly recommends using deterministic encryption with AES-SIV instead of FPE for all security sensitive use cases. Other methods like deterministic encryption using AES- SIV provide these stronger security guarantees and are recommended for tokenization use cases unless length and character set preservation are strict requirements--for example, for backward compatibility with a legacy data system.
Question 236:
Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT. Everyday, you must patch all VMs with critical OS updates and provide summary reports.
What should you do?
A. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM and execute OS specific update commands. Configure the Cloud Scheduler job to update with critical patches daily for daily updates. B. Copy the latest patches to the Cloud Storage bucket. Log in to each VM, download the patches from the bucket, and install them. C. Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM, and configure a daily cron job to enable for OS updates at night during low activity periods. D. Ensure that VM Manager is installed and running on the VMs. In the OS patch management service, configure the patch jobs to update with critical patches dally.
D. Ensure that VM Manager is installed and running on the VMs. In the OS patch management service, configure the patch jobs to update with critical patches dally.
Explanation/Reference:
VM manager is a suite of tools used to automate managing of the fleet of VMs (including OS patching)
https://cloud.google.com/compute/docs/vm-manager
Question 237:
An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?
A. Configuring and monitoring VPC Flow Logs B. Defending against XSS and SQLi attacks C. Manage the latest updates and security patches for the Guest OS D. Encrypting all stored data
B. Defending against XSS and SQLi attacks
Explanation/Reference:
in PaaS the customer is responsible for web app security, deployment, usage, access policy, and content. https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate
Question 238:
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?
A. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator. B. Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII. C. On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII. D. On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
A. Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?
A. Define an organization policy constraint. B. Configure packet mirroring policies. C. Enable VPC Flow Logs on the subnet. D. Monitor and analyze Cloud Audit Logs.
B. Configure packet mirroring policies.
Explanation/Reference:
https://cloud.google.com/vpc/docs/packet-mirroring#enterprise_security Security and network engineering teams must ensure that they are catching all anomalies and threats that might indicate security breaches and intrusions. They mirror all traffic so that they can complete a comprehensive inspection of suspicious flows.
Question 240:
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2- Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?
A. On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor. B. On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users. C. On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account. D. On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.
A. On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.
Explanation/Reference:
https://support.google.com/a/answer/9176734
Use backup codes for account recovery If you need to recover an account, use backup codes. Accounts are still protected by 2-Step Verification, and backup codes are easy to generate.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.