Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name
:Professional Cloud Security Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:324 Q&As
Last Updated
:Jul 15, 2026
Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions &
Answers
Question 291:
Your team maintains 1PB of sensitive data within BigOuery that contains personally identifiable information (PII). You need to provide access to this dataset to another team within your organization for analysis purposes. You must share the BigQuery dataset with the other team while protecting the PII. What should you do?
A. Utilize BigQuery's row-level access policies to mask PII columns based on the other team's user identities. B. Export the BigQuery dataset to Cloud Storage. Create a VPC Service Control perimeter and allow only their team's project access to the bucket. C. Implement data pseudonymization techniques to replace the PII fields with non-identifiable values. Grant the other team access to the pseudonymized dataset. D. Create a filtered copy of the dataset and replace the sensitive data with hash values in a separate project. Grant the other team access to this new project.
C. Implement data pseudonymization techniques to replace the PII fields with non-identifiable values. Grant the other team access to the pseudonymized dataset.
Question 292:
You work for a healthcare provider that is expanding into the cloud to store and process sensitive patient data. You must ensure the chosen Google Cloud configuration meets these strict regulatory requirements:
1.
Data must reside within specific geographic regions.
2.
Certain administrative actions on patient data require explicit approval from designated compliance officers.
3.
Access to patient data must be auditable.
What should you do?
A. Select a standard Google Cloud region. Restrict access to patient data based on user location and job function by using Access Context Manager. Enable both Cloud Audit Logging and Access Transparency. B. Deploy an Assured Workloads environment in an approved region. Configure Access Approval for sensitive operations on patient data. Enable both Cloud Audit Logs and Access Transparency. C. Deploy an Assured Workloads environment in multiple regions for redundancy. Utilize custom IAM roles with granular permissions. Isolate network-level data by using VPC Service Controls. D. Select multiple standard Google Cloud regions for high availability. Implement Access Control Lists (ACLs) on individual storage objects containing patient data. Enable Cloud Audit Logs.
B. Deploy an Assured Workloads environment in an approved region. Configure Access Approval for sensitive operations on patient data. Enable both Cloud Audit Logs and Access Transparency.
Question 293:
Your organization develops software involved in many open source projects and is concerned about software supply chain threats. You need to deliver provenance for the build to demonstrate the software is untampered.
What should you do?
A. 1. Hire an external auditor to review and provide provenance. 2. Define the scope and conditions. 3. Get support from the Security department or representative. 4. Publish the attestation to your public web page. B. 1. Review the software process. 2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact. 3. Publish the PGP signed attestation to your public web page. C. 1. Publish the software code on GitHub as open source. 2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities. D. 1. Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build. 2. View the build provenance in the Security insights side panel within the Google Cloud console.
D. 1. Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build. 2. View the build provenance in the Security insights side panel within the Google Cloud console.
You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?
A. All load balancer types are denied in accordance with the global node's policy. B. INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy. C. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy. D. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.
A. All load balancer types are denied in accordance with the global node's policy.
Question 295:
You are deploying regulated workloads on Google Cloud. The regulation has data residency and data access requirements. It also requires that support is provided from the same geographical location as where the data resides.
What should you do?
A. Enable Access Transparency Logging. B. Deploy Assured Workloads. C. Deploy resources only to regions permitted by data residency requirements. D. Use Data Access logging and Access Transparency logging to confirm that no users are accessing data from another region.
B. Deploy Assured Workloads.
Explanation/Reference:
Deploy Assured Workloads.
Assured Workloads for Google Cloud allows you to deploy regulated workloads with data residency, access, and support requirements. It helps you configure your environment in a manner that aligns with specific compliance frameworks and standards.
Question 296:
Your organization is developing an application that will have both corporate and public end-users. You want to centrally manage those customers' identities and authorizations. Corporate end users must access the application by using their corporate user and domain name. What should you do?
A. Add the corporate and public end-user domains to domain restricted sharing on the organization. B. Federate the customers' identity provider (IdP) with Workforce Identity Federation in your application's project. C. Do nothing. Google Workspace identities will allow you to filter personal accounts and disable their access. D. Use a customer identity and access management tool (CIAM) like Identity Platform.
D. Use a customer identity and access management tool (CIAM) like Identity Platform.
Question 297:
Your company conducts clinical trials and needs to analyze the results of a recent study that are stored in BigQuery. The interval when the medicine was taken contains start and stop dates. The interval data is critical to the analysis, but specific dates may identify a particular batch and introduce bias. You need to obfuscate the start and end dates for each row and preserve the interval data.
What should you do?
A. Use date shifting with the context set to the unique ID of the test subject. B. Extract the date using TimePartConfig from each date field and append a random month and year. C. Use bucketing to shift values to a predetermined date based on the initial value. D. Use the FFX mode of format preserving encryption (FPE) and maintain data consistency.
A. Use date shifting with the context set to the unique ID of the test subject.
Explanation/Reference:
Option A and D works, but the focus here is to preserve the interval data.
So option A is more suited in this case.
"Date shifting techniques randomly shift a set of dates but preserve the sequence and duration of a period of time. Shifting dates is usually done in context to an individual or an entity. That is, each individual's dates are shifted by an amount of time that is unique to that individual."
Question 298:
You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.)
A. Grant users the compuce.imageUser role in their own projects. B. Grant users the compuce.imageUser role in the OS image project. C. Store the image in every project that is spun up in your organization. D. Set up an image access organization policy constraint, and list the security team managed project in the projects allow list. E. Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.
B. Grant users the compuce.imageUser role in the OS image project. D. Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.
Explanation/Reference:
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints-constraints/compute.trustedImageProjects This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. If this constraint is active, only images from trusted projects will be allowed as the source for boot disks for new instances.
Question 299:
You have been tasked with configuring Security Command Center for your organization's Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization's compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security Command Center features should you use to configure these alerts? (Choose two.)
A. Event Threat Detection B. Container Threat Detection C. Security Health Analytics D. Cloud Data Loss Prevention E. Google Cloud Armor
A. Event Threat Detection C. Security Health Analytics
Explanation/Reference:
Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time. https://cloud.google.com/security-command-center/docs/concepts-security-sources#security-health-analytics https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview
Question 300:
Your organization is preparing to build business services in Google Cloud for the first time. You must determine where to apply appropriate controls or policies. You must also identify what aspects of your cloud deployment are managed by Google. What should you do?
A. Model your deployment on the Google Enterprise foundations blueprint. Follow the blueprint exactly and rely on the blueprint to maintain the posture necessary for your business. B. Use the Risk Manager tool in the Risk Protection Program to generate a report on your cloud security posture. Obtain cyber insurance coverage. C. Subscribe to the Google Cloud release notes to keep up on product updates and when new services are available. Evaluate new services for appropriate use before enabling their API. D. Study the shared responsibilities model. Depending on your business scenario, you might need to consider your responsibilities based on the location of your business offices, your customers, and your data.
D. Study the shared responsibilities model. Depending on your business scenario, you might need to consider your responsibilities based on the location of your business offices, your customers, and your data.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.