PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 21:

    You want to set up a secure, internal network within Google Cloud for database servers. The servers must not have any direct communication with the public internet. What should you do?

    A. Assign a private IP address to each database server. Use a NAT gateway to provide internet connectivity to the database servers.
    B. Assign a static public IP address to each database server. Use firewall rules to restrict external access.
    C. Create a VPC with a private subnet. Assign a private IP address to each database server.
    D. Assign both a private IP address and a public IP address to each database server.

  • Question 22:

    Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on the details to implement this requirement, you determine the following:

    1.

    The services in scope are included in the Google Cloud Data Residency Terms.

    2.

    The business data remains within specific locations under the same organization.

    3.

    The folder structure can contain multiple data residency locations.

    You plan to use the Resource Location Restriction organization policy constraint. At which level in the resource hierarchy should you set the constraint?

    A. Folder
    B. Resource
    C. Project
    D. Organization

  • Question 23:

    A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity-Aware Proxy. What should the customer do to meet these requirements?

    A. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
    B. Make sure that the ERP system can validate the identity headers in the HTTP requests.
    C. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
    D. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.

  • Question 24:

    In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.

    Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

    A. App Engine
    B. Cloud Functions
    C. Compute Engine
    D. Google Kubernetes Engine
    E. Cloud Storage

  • Question 25:

    You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name. How should you manage these consumer user accounts with Cloud Identity?

    A. Use Google Cloud Directory Sync to convert the unmanaged user accounts.
    B. Create a new managed user account for each consumer user account.
    C. Use the transfer tool for unmanaged user accounts.
    D. Configure single sign-on using a customer's third-party provider.

  • Question 26:

    You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account. What should you do?

    A. Query Data Access logs.
    B. Query Admin Activity logs.
    C. Query Access Transparency logs.
    D. Query Stackdriver Monitoring Workspace.

  • Question 27:

    Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery.

    What should you do?

    A. Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems. Provide the raw CSEK as part of the API call.
    B. Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM). Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.
    C. Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.
    D. Create a Cloud Key Management Service (KMS) key with imported key material. Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

  • Question 28:

    A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.

    Which product should be used to meet these requirements?

    A. Cloud Armor
    B. VPC Firewall Rules
    C. Cloud Identity and Access Management
    D. Cloud CDN

  • Question 29:

    A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places. Which Storage solution are they allowed to use?

    A. Cloud Bigtable
    B. Cloud BigQuery
    C. Compute Engine SSD Disk
    D. Compute Engine Persistent Disk

  • Question 30:

    You are working with developers to secure custom training jobs running on Vertex AI. For compliance reasons, all supported data types must be encrypted by key materials that reside in the Europe region and are controlled by your organization. The encryption activity must not impact the training operation in Vertex AI. What should you do?

    A. Encrypt the code, training data, and metadata with Google default encryption. Use customer-managed encryption keys (CMEK) for the trained models exported to Cloud Storage buckets.
    B. Encrypt the code, training data, metadata, and exported trained models with customer-managed encryption keys (CMEK).
    C. Encrypt the code, training data, and exported trained models with customer-managed encryption keys (CMEK).
    D. Encrypt the code, training data, and metadata with Google default encryption. Implement an organization policy that enforces a constraint to restrict the Cloud KMS location to the Europe region.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.