Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name
:Professional Cloud Security Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:324 Q&As
Last Updated
:Jul 15, 2026
Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions &
Answers
Question 281:
A business unit at a multinational corporation signs up for GCP and starts moving workloads into GCP. The business unit creates a Cloud Identity domain with an organizational resource that has hundreds of projects.
Your team becomes aware of this and wants to take over managing permissions and auditing the domain resources. Which type of access should your team grant to meet this requirement?
A. Organization Administrator B. Security Reviewer C. Organization Role Administrator D. Organization Policy Administrator
A. Organization Administrator
Question 282:
What are the steps to encrypt data using envelope encryption?
A. 1. Generate a data encryption key (DEK) locally. 2. Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK. 3. Store the encrypted data and the wrapped KEK. B. 1. Generate a key encryption key (KEK) locally. 2. Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK. 3. Store the encrypted data and the wrapped DEK. C. 1. Generate a data encryption key (DEK) locally. 2. Encrypt data with the DEK. 3. Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK. D. 1. Generate a key encryption key (KEK) locally. 2. Generate a data encryption key (DEK) locally. Encrypt data with the KEK. 3. Store the encrypted data and the wrapped DEK.
C. 1. Generate a data encryption key (DEK) locally. 2. Encrypt data with the DEK. 3. Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
Explanation/Reference:
The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS.
You plan to synchronize identities to Cloud Identity from a third-party identity provider (IdP). You discovered that some employees used their corporate email address to set up consumer accounts to access Google services. You need to ensure that the organization has control over the configuration, security, and lifecycle of these consumer accounts.
What should you do? (Choose two.)
A. Mandate that those corporate employees delete their unmanaged consumer accounts. B. Reconcile accounts that exist in Cloud Identity but not in the third-party IdP. C. Evict the unmanaged consumer accounts in the third-party IdP before you sync identities. D. Use Google Cloud Directory Sync (GCDS) to migrate the unmanaged consumer accounts' emails as user aliases. E. Use the transfer tool to invite those corporate employees to transfer their unmanaged consumer accounts to the corporate domain.
B. Reconcile accounts that exist in Cloud Identity but not in the third-party IdP. E. Use the transfer tool to invite those corporate employees to transfer their unmanaged consumer accounts to the corporate domain.
Explanation/Reference:
To ensure control over the configuration, security, and lifecycle of consumer accounts created with corporate email addresses, you should reconcile accounts that exist in Cloud Identity but not in the third- party IdP (B). This helps to align accounts and ensure consistent management. Additionally, you can use the transfer tool to invite employees to transfer their unmanaged consumer accounts to the corporate domain (E), which allows you to bring these accounts under the organization's control in Cloud Identity.
Question 284:
You work for an ecommerce company that stores sensitive customer data across multiple Google Cloud regions. The development team has built a new 3-tier application to process orders and must integrate the application into the production environment.
You must design the network architecture to ensure strong security boundaries and isolation for the new application, facilitate secure remote maintenance by authorized third-party vendors, and follow the principle of least privilege. What should you do?
A. Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Provide vendors with SSH keys and root access only to the instances within the VPC for maintenance purposes. B. Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors and grant the network admin role to the vendors. Deploy a VPN appliance and rely on the vendors' configurations to secure third-party access. C. Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Enable Identity-Aware Proxy (IAP) for remote access to management resources, limiting access to authorized vendors. D. Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors. Grant the vendors ownership of that project and the ability to modify the Shared VPC configuration.
C. Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Enable Identity-Aware Proxy (IAP) for remote access to management resources, limiting access to authorized vendors.
Question 285:
Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.
What should you do?
A. Temporarily disable authentication on the Cloud Storage bucket. B. Use the undelete command to recover the deleted service account. C. Create a new service account with the same name as the deleted service account. D. Update the permissions of another existing service account and supply those credentials to the applications.
B. Use the undelete command to recover the deleted service account.
You are a Cloud Identity administrator for your organization. In your Google Cloud environment groups are used to manage user permissions. Each application team has a dedicated group Your team is responsible for creating these groups and the application teams can manage the team members on their own through the Google Cloud console. You must ensure that the application teams can only add users from within your organization to their groups.
What should you do?
A. Change the configuration of the relevant groups in the Google Workspace Admin console to prevent external users from being added to the group. B. Set an Identity and Access Management (IAM) policy that includes a condition that restricts group membership to user principals that belong to your organization. C. Define an Identity and Access Management (IAM) deny policy that denies the assignment of principals that are outside your organization to the groups in scope. D. Export the Cloud Identity logs to BigQuery Configure an alert for external members added to groups Have the alert trigger a Cloud Function instance that removes the external members from the group.
A. Change the configuration of the relevant groups in the Google Workspace Admin console to prevent external users from being added to the group.
Question 287:
A service account key has been publicly exposed on multiple public code repositories. After reviewing the logs, you notice that the keys were used to generate short-lived credentials. You need to immediately remove access with the service account.
What should you do?
A. Delete the compromised service account. B. Disable the compromised service account key. C. Wait until the service account credentials expire automatically. D. Rotate the compromised service account key.
A. Delete the compromised service account.
Explanation/Reference:
Normally you would just choose (D) to not break the business continuity. But in this case, when short-lived credentials are created you need to disable/delete service account (disabling service account key doesn't revoke short-lived credentials)
Your Google Cloud organization is subdivided into three folders: production, development, and networking, Networking resources for the organization are centrally managed in the networking folder. You discovered that projects in the production folder are attaching to Shared VPCs that are outside of the networking folder which could become a data exfiltration risk. You must resolve the production folder issue without impacting the development folder. You need to use the most efficient and least disruptive approach. What should you do?
A. Enable the Restrict Shared VPC Host Projects organization policy on the production folder. Create a custom rule and configure the policy type to Allow. In the Custom value section, enter under:folders/networking. B. Enable the Restrict Shared VPC Host Projects organization policy on the networking folder only. Create a new custom rule and configure the policy type to Allow. In the Custom value section, enter under:organizations/123456739123. C. Enable the Restrict Shared VPC Host Projects organization policy at the project level for each of the production projects. Create a custom rule and configure the policy type to Allow. In the Custom value section, enter under:folders/ networking. D. Enable the Restrict Shared VPC Host Projects organization policy at the organization level. Create a custom rule and configure the policy type to Allow. In the Custom value section, enter under:folders/networking.
A. Enable the Restrict Shared VPC Host Projects organization policy on the production folder. Create a custom rule and configure the policy type to Allow. In the Custom value section, enter under:folders/networking.
Explanation/Reference:
The most efficient and least disruptive way to solve the issue is to apply the Restrict Shared VPC Host Projects organization policy specifically to the production folder. This option directly addresses the issue in the production folder without impacting the development folder, making it the least disruptive and most efficient approach. By enabling the Restrict Shared VPC Host Projects organization policy at the production folder level, you can prevent projects in the production folder from attaching to Shared VPCs that are outside of the networking folder, thereby mitigating the risk of data exfiltration.
The custom rule ensures that only Shared VPC host projects in the networking folder can be used by the production projects, which achieves the goal while maintaining existing workflows for the development folder.
Question 289:
For compliance reporting purposes, the internal audit department needs you to provide the list of virtual machines (VMs) that have critical operating system (OS) security updates available, but not installed. You must provide this list every six months, and you want to perform this task quickly.
What should you do?
A. Run a Security Command Center security scan on all VMs to extract a list of VMs with critical OS vulnerabilities every six months. B. Run a gcloud CLI command from the Command Line Interface (CLI) to extract the VM's OS version information every six months. C. Ensure that the Cloud Logging agent is installed on all VMs, and extract the OS last update log date every six months. D. Ensure the OS Config agent is installed on all VMs and extract the patch status dashboard every six months.
D. Ensure the OS Config agent is installed on all VMs and extract the patch status dashboard every six months.
Explanation/Reference:
https://cloud.google.com/compute/docs/vm-manager
Question 290:
You work for a multinational organization that has systems deployed across multiple cloud providers, including Google Cloud. Your organization maintains an extensive on-premises security information and event management (SIEM) system. New security compliance regulations require that relevant Google Cloud logs be integrated seamlessly with the existing SIEM to provide a unified view of security events. You need to implement a solution that exports Google Cloud logs to your on-premises SIEM by using a push-based, near real-time approach. You must prioritize fault tolerance, security, and auto scaling capabilities. In particular, you must ensure that if a log delivery fails, logs are re-sent. What should you do?
A. Create a Pub/Sub topic for log aggregation. Write a custom Python script on a Cloud Function Leverage the Cloud Logging API to periodically pull logs from Google Cloud and forward the logs to the SIEM. Schedule the Cloud Function to run twice per day. B. Collect all logs into an organization-level aggregated log sink and send the logs to a Pub/Sub topic. Implement a primary Dataflow pipeline that consumes logs from this Pub/Sub topic and delivers the logs to the SIEM. Implement a secondary Dataflow pipeline that replays failed messages. C. Deploy a Cloud Logging sink with a filter that routes all logs directly to a syslog endpoint. The endpoint is based on a single Compute Engine hosted on Google Cloud that routes all logs to the on-premises SIEM. Implement a Cloud Function that triggers a retry action in case of failure. D. Utilize custom firewall rules to allow your SIEM to directly query Google Cloud logs. Implement a Cloud Function that notifies the SIEM of a failed delivery and triggers a retry action.
B. Collect all logs into an organization-level aggregated log sink and send the logs to a Pub/Sub topic. Implement a primary Dataflow pipeline that consumes logs from this Pub/Sub topic and delivers the logs to the SIEM. Implement a secondary Dataflow pipeline that replays failed messages.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.