Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name
:Professional Cloud Security Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:324 Q&As
Last Updated
:Jul 15, 2026
Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions &
Answers
Question 251:
There is a threat actor that is targeting organizations like yours. Attacks are always initiated from a known IP address range. You want to deny-list those IPs for your website, which is exposed to the internet through an Application Load Balancer. What should you do?
A. Create a Cloud Armor policy with a deny-rule for the known IP address range. Attach the policy to the backend of the Application Load Balancer. B. Activate Identity-Aware Proxy for the backend of the Application Load Balancer. Create a firewall rule that only allows traffic from the proxy to the application. C. Create a log sink with a filter containing the known IP address range. Trigger an alert that detects when the Application Load Balancer is accessed from those IPs. D. Create a Cloud Firewall policy with a deny-rule for the known IP address range. Associate the firewall policy to the Virtual Private Cloud with the application backend.
A. Create a Cloud Armor policy with a deny-rule for the known IP address range. Attach the policy to the backend of the Application Load Balancer.
Question 252:
You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)
A. SSO SAML as a third-party IdP B. Identity Platform C. OpenID Connect D. Identity-Aware Proxy E. Cloud Identity
A. SSO SAML as a third-party IdP C. OpenID Connect
Explanation/Reference:
To provide users with SSO-based access to selected cloud apps, Cloud Identity as your IdP supports the OpenID Connect (OIDC) and Security Assertion Markup Language 2.0 (SAML) protocols. https:// cloud.google.com/identity/solutions/ enable-sso
Question 253:
Your organization relies heavily on Cloud Run for its containerized applications. You utilize Cloud Build for image creation, Artifact Registry for image storage, and Cloud Run for deployment. You must ensure that containers with vulnerabilities rated above a common vulnerability scoring system (CVSS) score of "medium" are not deployed to production. What should you do?
A. Implement vulnerability scanning as part of the Cloud Build process. If any medium or higher vulnerabilities are detected, manually rebuild the image with updated components. B. Perform manual vulnerability checks post-build, but before Cloud Run deployment. Implement a manual security-engineer-driven remediation process. C. Configure Binary Authorization on Cloud Run to enforce image signatures. Create policies to allow deployment only for images passing a defined vulnerability threshold. D. Utilize a vulnerability scanner during the Cloud Build stage and set Artifact Registry permissions to block images containing vulnerabilities above "medium."
C. Configure Binary Authorization on Cloud Run to enforce image signatures. Create policies to allow deployment only for images passing a defined vulnerability threshold.
Explanation/Reference:
Binary Authorization: Provides a strong, policy-based control mechanism for deploying containers. It ensures only trusted and verified images can be deployed to Cloud Run. Vulnerability Threshold: By setting a policy within Binary Authorization, you can explicitly block the deployment of any container images that have vulnerabilities exceeding a CVSS score of "medium". Automation: This approach enables automated enforcement of security standards at the deployment stage, preventing vulnerable images from reaching production.
Question 254:
A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?
A. Cloud Armor B. Google Cloud Audit Logs C. Cloud Security Scanner D. Forseti Security
Web Security Scanner supports categories in the OWASP Top Ten, a document that ranks and provides remediation guidance for the top 10 most critical web application security risks, as determined by the Open Web Application Security
Project (OWASP).
Question 255:
Your organization uses BigQuery to process highly sensitive, structured datasets. Following the "need to know" principle, you need to create the Identity and Access Management (IAM) design to meet the needs of these users:
1.
Business user: must access curated reports.
2.
Data engineer: must administrate the data lifecycle in the platform
3.
Security operator: must review user activity on the data platform.
What should you do?
A. Configure data access log for BigQuery services, and grant Project Viewer role to security operator. B. Set row-based access control based on the "region" column, and filter the record from the United States for data engineers. C. Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer. D. Generate a CSV data file based on the business user's needs, and send the data to their email addresses.
C. Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.
Explanation/Reference:
The most correct answer would be C. Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.
This option directly addresses the needs of the business user who must access curated reports. By creating curated tables in a separate dataset, you can control access to specific data. Assigning the roles/ bigquery.dataViewer role allows the business user to view the data in BigQuery.
While option A is also a good practice for a security operator, it doesn't directly address the specific needs of the users mentioned in the question as effectively as option C does. Therefore, if you can only choose one answer, option C would be the most correct.
Question 256:
You control network traffic for a folder in your Google Cloud environment. Your folder includes multiple projects and Virtual Private Cloud (VPC) networks. You want to enforce on the folder level that egress connections are limited only to IP range 10.58.5.0/24 and only from the VPC network "dev-vpc". You want to minimize implementation and maintenance effort.
What should you do?
A. 1. Leave the network configuration of the VMs in scope unchanged. 2. Create a new project including a new VPC network "new-vpc". 3. Deploy a network appliance in "new-vpc" to filter access requests and only allow egress connections from "dev-vpc" to 10.58.5.0/24. B. 1. Leave the network configuration of the VMs in scope unchanged. 2. Enable Cloud NAT for "dev-vpc" and restrict the target range in Cloud NAT to 10.58.5.0/24. C. 1. Attach external IP addresses to the VMs in scope. 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10.58.5.0/24 from network dev-vpc. D. 1. Attach external IP addresses to the VMs in scope. 2. Configure a VPC Firewall rule in "dev-vpc" that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.
C. 1. Attach external IP addresses to the VMs in scope. 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10.58.5.0/24 from network dev-vpc.
Explanation/Reference:
1.
Attach external IP addresses to the VMs in scope.
2.
Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10.58.5.0/24 from network dev-vpc.
This approach allows you to control network traffic at the folder level. By attaching external IP addresses to the VMs in scope, you can ensure that the VMs have a unique, routable IP address for outbound connections. Then, by defining and applying a hierarchical firewall policy at the folder level, you can enforce that egress connections are limited to the specified IP range and only from the specified VPC network.
Question 257:
You are developing an application that runs on a Compute Engine VM. The application needs to access data stored in Cloud Storage buckets in other Google Cloud projects. The required access to the buckets is variable. You need to provide access to these resources while following Google- recommended practices. What should you do?
A. Limit the VMs access to the Cloud Storage buckets by setting the relevant access scope of the VM. B. Create IAM bindings for the VM's service account and the required buckets that allow appropriate access to the data stored in the buckets. C. Grant the VM's service account access to the required buckets by using domain-wide delegation. D. Create a group and assign IAM bindings to the group for each bucket that the application needs to access. Assign the VM's service account to the group.
B. Create IAM bindings for the VM's service account and the required buckets that allow appropriate access to the data stored in the buckets.
Explanation/Reference:
The best practice for granting access to Google Cloud resources, such as Cloud Storage buckets, is to use IAM roles with service accounts. Compute Engine VMs typically run under a service account, and you can create IAM bindings that grant this service account the necessary permissions to access Cloud Storage buckets in other Google Cloud projects.
By assigning IAM roles (like roles/storage.objectViewer, roles/storage.objectAdmin, etc.) to the VM's service account, you can ensure that the VM only has the required level of access to the specific Cloud Storage buckets. This follows the principle of least privilege, ensuring that the application has access only to the data it needs.
Question 258:
Your organization is developing a new SaaS application on Google Cloud. Stringent compliance standards require visibility into privileged account activity, and potentially unauthorized changes and misconfigurations to the application's infrastructure. You need to monitor administrative actions, log changes to IAM roles and permissions, and be able to trace potentially unauthorized configuration changes. What should you do?
A. Create log sinks to Cloud Storage for long-term retention. Set up log-based alerts in Cloud Logging based on relevant log types. Enable VPC Flow Logs for network visibility. B. Deploy Cloud IDS and activate Firewall Rules Logging. Create a custom dashboard in Security Command Center to visualize potential intrusion attempts. C. Detect sensitive administrative actions by using Cloud Logging with custom filters. Enable VPC Flow Logs with BigQuery exports for rapid analysis of network traffic patterns. D. Enable Event Threat Detection and Security Health Analytics in Security Command Center. Set up detailed logging for IAM-related activity and relevant project resources by deploying Cloud Audit Logs.
D. Enable Event Threat Detection and Security Health Analytics in Security Command Center. Set up detailed logging for IAM-related activity and relevant project resources by deploying Cloud Audit Logs.
Question 259:
Your organization s customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (Pll) from files that are older than 12 months. Also you must archive the anonymized files for retention purposes.
What should you do?
A. Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class. B. Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files. C. Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys. D. Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original files.
B. Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.
Question 260:
You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices. What should you do?
A. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope. B. Create a custom role with the permission compute.instances.list and grant the Service Account this role. C. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances. D. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
B. Create a custom role with the permission compute.instances.list and grant the Service Account this role.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.