PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 271:

    The new CEO of your organization recently sold two of the organization's divisions. You are migrating the Google Cloud projects associated with those divisions to a new organization node. You need to complete the necessary preparation step before the migration can occur.

    What should you do?

    A. Remove all project-level custom Identity and Access Management (IAM) roles.
    B. Disallow inheritance of organization policies.
    C. Identify inherited Identity and Access Management (IAM) roles on projects to be migrated.
    D. Create a new folder for all projects to be migrated.

  • Question 272:

    Your organization has an internet-facing application behind a load balancer. Your regulators require end-to-end encryption of user login credentials. You must implement this requirement. What should you do?

    A. Generate a symmetric key with Cloud KMS. Encrypt client-side user credentials by using the symmetric key.
    B. Concatenate the credential with a timestamp. Submit the timestamp and hashed value of credentials to the network.
    C. Deploy the TLS certificate at Google Cloud Global HTTPs Load Balancer, and submit the user credentials through HTTPs.
    D. Generate an asymmetric key with Cloud KMS. Encrypt client-side user credentials using the public key.

  • Question 273:

    You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12 years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

    A. Create a Cloud Storage bucket to store your logs in the EUROPE-WEST1 region. Modify your application code to ship logs directly to your bucket for increased efficiency.
    B. Configure your Compute Engine instances to use the Google Cloud's operations suite Cloud Logging agent to send application logs to a custom log bucket in the EUROPE-WEST1 region with a custom retention of 12 years.
    C. Use a Pub/Sub topic to forward your application logs to a Cloud Storage bucket in the EUROPE- WEST1 region.
    D. Configure a custom retention policy of 12 years on your Google Cloud's operations suite log bucket in the EUROPE-WEST1 region.

  • Question 274:

    You need to create a VPC that enables your security team to control network resources such as firewall rules. How should you configure the network to allow for separation of duties for network resources?

    A. Set up multiple VPC networks, and set up multi-NIC virtual appliances to connect the networks.
    B. Set up VPC Network Peering, and allow developers to peer their network with a Shared VPC.
    C. Set up a VPC in a project. Assign the Compute Network Admin role to the security team, and assign the Compute Admin role to the developers.
    D. Set up a Shared VPC where the security team manages the firewall rules, and share the network with developers via service projects.

  • Question 275:

    A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.

    How should the customer achieve this using Google Cloud Platform?

    A. Use Cloud Source Repositories, and store secrets in Cloud SQL.
    B. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
    C. Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
    D. Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.

  • Question 276:

    You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

    A. Use Google default encryption.
    B. Manually add users to Google Cloud.
    C. Provision users with basic roles using Google's Identity and Access Management (IAM) service.
    D. Use SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.
    E. Provide granular access with predefined roles.

  • Question 277:

    You manage a Google Cloud organization with many projects located in various regions around the world. The projects are protected by the same Access Context Manager access policy. You created a new folder that will host two projects that process protected health information (PHI) for US-based customers. The two projects will be separately managed and require stricter protections. You are setting up the VPC Service Controls configuration for the new folder. You must ensure that only US-based personnel can access these projects and restrict Google Cloud API access to only BigQuery and Cloud Storage within these projects. What should you do?

    A. 1. Create a scoped access policy, add the new folder under "Select resources to include in the policy," and assign an administrator under "Manage principals." 2. For the service perimeter, specify the two new projects as "Resources to protect" in the service perimeter configuration. 3. Set "Restricted services" to "all services," set "VPC accessible services" to "Selected services," and specify only BigQuery and Cloud Storage under "Selected services."
    B. 1. Enable Identity Aware Proxy in the new projects. 2. Create an Access Context Manager access level with an "IP Subnetworks" attribute condition set to the US-based corporate IP range. 3. Enable the "Restrict Resource Service Usage" organization policy at the new folder level with an "Allow" policy type and set both "storage.googleapis.com" and "bigquery.googleapis.com" under "Custom values."
    C. 1. Edit the organization-level access policy and add the new folder under "Select resources to include in the policy." 2. Specify the two new projects as "Resources to protect" in the service perimeter configuration. 3. Set "Restricted services" to "all services," set "VPC accessible services" to "Selected services," and specify only BigQuery and Cloud Storage. 4. Edit the existing access level to add a "Geographic locations" condition set to "US."
    D. 1. Configure a Cloud Interconnect connection or a Virtual Private Network (VPN) between the on-premises environment and the Google Cloud organization. 2. Configure the VPC firewall policies within the new projects to only allow connections from the on-premises IP address range. 3. Enable the Restrict Resource Service Usage organization policy on the new folder with an "Allow" policy type, and set both "storage.googleapis.com" and "bigquery.googleapis.com" under "Custom values."

  • Question 278:

    A customer wants to deploy a large number of 3-tier web applications on Compute Engine.

    How should the customer ensure authenticated network separation between the different tiers of the application?

    A. Run each tier in its own Project, and segregate using Project labels.
    B. Run each tier with a different Service Account (SA), and use SA-based firewall rules.
    C. Run each tier in its own subnet, and use subnet-based firewall rules.
    D. Run each tier with its own VM tags, and use tag-based firewall rules.

  • Question 279:

    An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.

    Which option meets the requirement of your team?

    A. Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
    B. Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
    C. Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
    D. Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.

  • Question 280:

    Your organization is using Vertex AI Workbench Instances. You must ensure that newly deployed Instances are automatically kept up-to-date and that users cannot accidentally alter settings in the operating system. What should you do?

    A. Enforce the disableRootAccesa and requireAutoUpgradeSchedule organization policies for newly deployed Instances.
    B. Enable the VM Manager and ensure the corresponding Google Compute Engine instances are added.
    C. Implement a firewall rule that prevents Secure Shell access to the corresponding Google Compute Engine instances by using tags.
    D. Assign the AI Notebooks Runner and AI Notebooks Viewer roles to the users of the AI Workbench Instances.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.