PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 261:

    You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

    A. Change the access control model for the bucket
    B. Update your sink with the correct bucket destination.
    C. Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
    D. Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

  • Question 262:

    A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.

    Which two strategies should your team use to meet these requirements? (Choose two.)

    A. Configure Private Google Access on the Compute Engine subnet
    B. Avoid assigning public IP addresses to the Compute Engine cluster.
    C. Make sure that the Compute Engine cluster is running on a separate subnet.
    D. Turn off IP forwarding on the Compute Engine instances in the cluster.
    E. Configure a Cloud NAT gateway.

  • Question 263:

    A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?

    A. Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
    B. Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
    C. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
    D. Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

  • Question 264:

    Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

    A. ISO 27001
    B. ISO 27002
    C. ISO 27017
    D. ISO 27018

  • Question 265:

    Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud. You must implement data residency and operational sovereignty in the EU.

    What should you do? (Choose two.)

    A. Limit the physical location of a new resource with the Organization Policy Service "resource locations constraint."
    B. Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and inter-VPC communication.
    C. Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications.
    D. Use identity federation to limit access to Google Cloud resources from non-EU entities.
    E. Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.

  • Question 266:

    A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container. What should they do?

    A. Use Cloud Build to build the container images.
    B. Build small containers using small base images.
    C. Delete non-used versions from Container Registry.
    D. Use a Continuous Delivery tool to deploy the application.

  • Question 267:

    You need to provide a corporate user account in Google Cloud for each of your developers and operational staff who need direct access to GCP resources. Corporate policy requires you to maintain the user identity in a third-party identity management provider and leverage single sign-on. You learn that a significant number of users are using their corporate domain email addresses for personal Google accounts, and you need to follow Google recommended practices to convert existing unmanaged users to managed accounts.

    Which two actions should you take? (Choose two.)

    A. Use Google Cloud Directory Sync to synchronize your local identity management system to Cloud Identity.
    B. Use the Google Admin console to view which managed users are using a personal account for their recovery email.
    C. Add users to your managed Google account and force users to change the email addresses associated with their personal accounts.
    D. Use the Transfer Tool for Unmanaged Users (TTUU) to find users with conflicting accounts and ask them to transfer their personal Google accounts.
    E. Send an email to all of your employees and ask those users with corporate email addresses for personal Google accounts to delete the personal accounts immediately.

  • Question 268:

    Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.

    How should your team meet these requirements?

    A. Enable Private Access on the VPC network in the production project.
    B. Remove the Editor role and grant the Compute Admin IAM role to the engineers.
    C. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
    D. Set up a VPC network with two subnets: one with public IPs and one without public IPs.

  • Question 269:

    When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

    A. Ensure that the app does not run as PID 1.
    B. Package a single app as a container.
    C. Remove any unnecessary tools not needed by the app.
    D. Use public container images as a base image for the app.
    E. Use many container image layers to hide sensitive information.

  • Question 270:

    You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

    A. Organization Policy Service constraints
    B. Shielded VM instances
    C. Access control lists
    D. Geolocation access controls
    E. Google Cloud Armor

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.