Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name
:Professional Cloud Security Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:324 Q&As
Last Updated
:Jul 15, 2026
Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions &
Answers
Question 21:
You want to set up a secure, internal network within Google Cloud for database servers. The servers must not have any direct communication with the public internet. What should you do?
A. Assign a private IP address to each database server. Use a NAT gateway to provide internet connectivity to the database servers. B. Assign a static public IP address to each database server. Use firewall rules to restrict external access. C. Create a VPC with a private subnet. Assign a private IP address to each database server. D. Assign both a private IP address and a public IP address to each database server.
C. Create a VPC with a private subnet. Assign a private IP address to each database server.
Explanation/Reference:
To set up a secure, internal network for database servers that must not have any direct communication with the public internet, the best approach is to:
1.
Create a VPC (Virtual Private Cloud) with a private subnet where the database servers reside. This ensures that the servers only have private IP addresses and cannot directly access or be accessed by the public internet.
2.
By assigning private IP addresses to the database servers, they remain isolated within the internal network, and only other resources within the VPC (or those allowed through internal routing) can communicate with them.
This setup ensures that the database servers are secure and cannot be accessed from the internet, fulfilling your requirement for internal-only communication.
Question 22:
Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on the details to implement this requirement, you determine the following:
1.
The services in scope are included in the Google Cloud Data Residency Terms.
2.
The business data remains within specific locations under the same organization.
3.
The folder structure can contain multiple data residency locations.
You plan to use the Resource Location Restriction organization policy constraint. At which level in the resource hierarchy should you set the constraint?
A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity-Aware Proxy. What should the customer do to meet these requirements?
A. Make sure that the ERP system can validate the JWT assertion in the HTTP requests. B. Make sure that the ERP system can validate the identity headers in the HTTP requests. C. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests. D. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
A. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
Explanation/Reference:
Use Cryptographic Verification If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP, called X-Goog-IAP-JWT-Assertion. The value of the header is a cryptographically signed object that also contains the user identity data. Your application can verify the digital signature and use the data provided in this object to be certain that it was provided by IAP without alteration.
Question 24:
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)
A. App Engine B. Cloud Functions C. Compute Engine D. Google Kubernetes Engine E. Cloud Storage
C. Compute Engine D. Google Kubernetes Engine
Explanation/Reference:
App Engine ingress firewall rules are available, but egress rules are not currently available. Per requirements 1.2.1 and 1.3.4, you must ensure that all outbound traffic is authorized. SAQ A-EP and SAQ D-Type merchants must provide compensating controls or use a different Google Cloud product. Compute Engine and GKE are the preferred alternatives. https://cloud.google.com/solutions/pci-dss-compliance-in- gcp
Question 25:
You are onboarding new users into Cloud Identity and discover that some users have created consumer user accounts using the corporate domain name. How should you manage these consumer user accounts with Cloud Identity?
A. Use Google Cloud Directory Sync to convert the unmanaged user accounts. B. Create a new managed user account for each consumer user account. C. Use the transfer tool for unmanaged user accounts. D. Configure single sign-on using a customer's third-party provider.
C. Use the transfer tool for unmanaged user accounts.
Explanation/Reference:
https://support.google.com/a/answer/6178640?hl=en
The transfer tool enables you to see what unmanaged users exist, and then invite those unmanaged users to the domain.
Question 26:
You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account. What should you do?
A. Query Data Access logs. B. Query Admin Activity logs. C. Query Access Transparency logs. D. Query Stackdriver Monitoring Workspace.
B. Query Admin Activity logs.
Explanation/Reference:
Admin activity logs are always created to log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.
Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery.
What should you do?
A. Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems. Provide the raw CSEK as part of the API call. B. Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM). Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period. C. Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors. D. Create a Cloud Key Management Service (KMS) key with imported key material. Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.
C. Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.
Explanation/Reference:
Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.
Cloud EKM allows you to use encryption keys that are stored and managed in a third-party key management system deployed outside of Google's infrastructure. This gives your organization full control over the keys used to encrypt data at rest in Google Cloud environments, including BigQuery.
Question 28:
A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?
A. Cloud Armor B. VPC Firewall Rules C. Cloud Identity and Access Management D. Cloud CDN
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places. Which Storage solution are they allowed to use?
A. Cloud Bigtable B. Cloud BigQuery C. Compute Engine SSD Disk D. Compute Engine Persistent Disk
B. Cloud BigQuery
Explanation/Reference:
https://cloud.google.com/bigquery/docs/locations
Question 30:
You are working with developers to secure custom training jobs running on Vertex AI. For compliance reasons, all supported data types must be encrypted by key materials that reside in the Europe region and are controlled by your organization. The encryption activity must not impact the training operation in Vertex AI. What should you do?
A. Encrypt the code, training data, and metadata with Google default encryption. Use customer-managed encryption keys (CMEK) for the trained models exported to Cloud Storage buckets. B. Encrypt the code, training data, metadata, and exported trained models with customer-managed encryption keys (CMEK). C. Encrypt the code, training data, and exported trained models with customer-managed encryption keys (CMEK). D. Encrypt the code, training data, and metadata with Google default encryption. Implement an organization policy that enforces a constraint to restrict the Cloud KMS location to the Europe region.
B. Encrypt the code, training data, metadata, and exported trained models with customer-managed encryption keys (CMEK).
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.