PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 311:

    A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location. Which solution will restrict access to the in-progress sites?

    A. Upload an .htaccess file containing the customer and employee user accounts to App Engine.
    B. Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
    C. Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.
    D. Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company's GCP Virtual Private Cloud (VPC) network.

  • Question 312:

    You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:

    1.

    Each business unit manages access controls for their own projects.

    2.

    Each business unit manages access control permissions at scale.

    3.

    Business units cannot access other business units' projects.

    4.

    Users lose their access if they move to a different business unit or leave the company.

    5.

    Users and access control permissions are managed by the on-premises directory service.

    What should you do? (Choose two.)

    A. Use VPC Service Controls to create perimeters around each business unit's project.
    B. Organize projects in folders, and assign permissions to Google groups at the folder level.
    C. Group business units based on Organization Units (OUs) and manage permissions based on OUs.
    D. Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.
    E. Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

  • Question 313:

    Your application development team is releasing a new critical feature. To complete their final testing, they requested 10 thousand real transaction records. The new feature includes format checking on the primary account number (PAN) of a credit card. You must support the request and minimize the risk of unintended personally identifiable information (PII) exposure. What should you do?

    A. Run the new application by using Confidential Computing to ensure PII and card PAN is encrypted in use.
    B. Scan and redact PII from the records by using the Cloud Data Loss Prevention API. Perform format-preserving encryption on the card PAN.
    C. Encrypt the records by using Cloud Key Management Service to protect the PII and card PAN.
    D. Build a tool to replace the card PAN and PII fields with randomly generated values.

  • Question 314:

    Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.

    What should you do?

    A. Enforce 2-factor authentication in GSuite for all users.
    B. Configure Cloud Identity-Aware Proxy for the App Engine Application.
    C. Provision user passwords using GSuite Password Sync.
    D. Configure Cloud VPN between your private network and GCP.

  • Question 315:

    Your company uses Google Cloud and has publicly exposed network assets. You want to discover the assets and perform a security audit on these assets by using a software tool in the least amount of time.

    What should you do?

    A. Run a platform security scanner on all instances in the organization.
    B. Identify all external assets by using Cloud Asset Inventory, and then run a network security scanner against them.
    C. Contact a Google approved security vendor to perform the audit.
    D. Notify Google about the pending audit, and wait for confirmation before performing the scan.

  • Question 316:

    The InfoSec team has mandated that all new Cloud Run jobs and services in production must have Binary Authorization enabled. You need to enforce this requirement. What should you do?

    A. Configure an organization policy to require Binary Authorization enforcement on images deployed to Cloud Run.
    B. Configure a Security Health Analytics (SHA) custom rule that prevents the execution of Cloud Run jobs and services without Binary Authorization.
    C. Ensure the Cloud Run admin role is not assigned to developers.
    D. Configure a Binary Authorization custom policy that is not editable by developers and auto-attaches to all Cloud Run jobs and services.

  • Question 317:

    You are developing a new application that uses exclusively Compute Engine VMs. Once a day, this application will execute five different batch jobs. Each of the batch jobs requires a dedicated set of permissions on Google Cloud resources outside of your application. You need to design a secure access concept for the batch jobs that adheres to the least-privilege principle.

    What should you do?

    A. 1. Create a general service account "g-sa" to orchestrate the batch jobs. 2. Create one service account per batch job `b-sa-[1-5]'. Grant only the permissions required to run the individual batch jobs to the service accounts and generate service account keys for each of these service accounts. 3. Store the service account keys in Secret Manager. Grant g-sa access to Secret Manager and run the batch jobs with the permissions of b-sa-[1-5].
    B. 1. Create a general service account "g-sa" to execute the batch jobs. 2. Grant the permissions required to execute the batch jobs to g-sa. 3. Execute the batch jobs with the permissions granted to g-sa.
    C. 1. Create a workload identity pool and configure workload identity pool providers for each batch job. 2. Assign the workload identity user role to each of the identities configured in the providers. 3. Create one service account per batch job "b-sa-[1-5]", and grant only the permissions required to run the individual batch jobs to the service accounts. 4. Generate credential configuration files for each of the providers. Use these files to execute the batch jobs with the permissions of b-sa-[1-5].
    D. 1. Create a general service account "g-sa" to orchestrate the batch jobs. 2. Create one service account per batch job "b-sa-[1-5]", and grant only the permissions required to run the individual batch jobs to the service accounts. 3. Grant the Service Account Token Creator role to g-sa. Use g-sa to obtain short-lived access tokens for b-sa-[1-5] and to execute the batch jobs with the permissions of b-sa-[1-5].

  • Question 318:

    A company is running workloads in a dedicated server room. They must only be accessed from within the private company network. You need to connect to these workloads from Compute Engine instances within a Google Cloud Platform project.

    Which two approaches can you take to meet the requirements? (Choose two.)

    A. Configure the project with Cloud VPN.
    B. Configure the project with Shared VPC.
    C. Configure the project with Cloud Interconnect.
    D. Configure the project with VPC peering.
    E. Configure all Compute Engine instances with Private Access.

  • Question 319:

    You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company. You need to detect cryptocurrency mining software. Which SCC service should you use?

    A. Container Threat Detection
    B. Web Security Scanner
    C. Rapid Vulnerability Detection
    D. Virtual Machine Threat Detection

  • Question 320:

    You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer. What should you do?

    A. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
    B. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
    C. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
    D. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.