PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 31:

    A company has been running their application on Compute Engine. A bug in the application allowed a malicious user to repeatedly execute a script that results in the Compute Engine instance crashing. Although the bug has been fixed, you want to get notified in case this hack re-occurs.

    What should you do?

    A. Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.
    B. Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.
    C. Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.
    D. Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

  • Question 32:

    Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.

    Which two settings must remain disabled to meet these requirements? (Choose two.)

    A. Public IP
    B. IP Forwarding
    C. Private Google Access
    D. Static routes
    E. IAM Network User Role

  • Question 33:

    Your company's Google Cloud organization has about 200 projects and 1,500 virtual machines. There is no uniform strategy for logs and events management, which reduces visibility for your security operations team. You need to design a logs management solution that provides visibility and allows the security team to view the environment's configuration.

    What should you do?

    A. 1. Create a dedicated log sink for each project that is in scope. 2. Use a BigQuery dataset with time partitioning enabled as a destination of the log sinks. 3. Deploy alerts based on log metrics in every project. 4. Grant the role "Monitoring Viewer" to the security operations team in each project.
    B. 1. Create one log sink at the organization level that includes all the child resources. 2. Use as destination a Pub/Sub topic to ingest the logs into the security information and event. management (SIEM) on-premises, and ensure that the right team can access the SIEM. 3. Grant the Viewer role at organization level to the security operations team.
    C. 1. Enable network logs and data access logs for all resources in the "Production" folder. 2. Do not create log sinks to avoid unnecessary costs and latency. 3. Grant the roles "Logs Viewer" and "Browser" at project level to the security operations team.
    D. 1. Create one sink for the "Production" folder that includes child resources and one sink for the logs ingested at the organization level that excludes child resources. 2. As destination, use a log bucket with a minimum retention period of 90 days in a project that can be accessed by the security team. 3. Grant the security operations team the role of Security Reviewer at organization level.

  • Question 34:

    You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket, in the most efficient manner. What should you do?

    A. Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a user-defined sink, and select the new log bucket as the sink destination.
    B. Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.
    C. Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.
    D. Edit the _Default sink, and select the new log bucket as the sink destination.

  • Question 35:

    Customers complain about error messages when they access your organization's website. You suspect that the web application firewall rules configured in Cloud Armor are too strict. You want to collect request logs to investigate what triggered the rules and blocked the traffic. What should you do?

    A. Modify the Application Load Balancer backend and increase the tog sample rate to a higher number.
    B. Enable logging in the Application Load Balancer backend and set the log level to VERBOSE in the Cloud Armor policy.
    C. Change the configuration of suspicious web application firewall rules in the Cloud Armor policy to preview mode.
    D. Create a log sink with a filter for togs containing redirected_by_security_policy and set a BigQuery dataset as destination.

  • Question 36:

    Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.

    What should you do?

    A. Store the data in a single Persistent Disk, and delete the disk at expiration time.
    B. Store the data in a single BigQuery table and set the appropriate table expiration time.
    C. Store the data in a single Cloud Storage bucket and configure the bucket's Time to Live.
    D. Store the data in a single BigTable table and set an expiration time on the column families.

  • Question 37:

    A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).

    How should the DevOps team accomplish this?

    A. Use Puppet or Chef to push out the patch to the running container.
    B. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
    C. Update the application code or apply a patch, build a new image, and redeploy it.
    D. Configure containers to automatically upgrade when the base image is available in Container Registry.

  • Question 38:

    Your company's chief information security officer (CISO) is requiring business data to be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on a plan to implement this requirement, you determine the following:

    1.

    The services in scope are included in the Google Cloud data residency requirements.

    2.

    The business data remains within specific locations under the same organization. The folder structure can contain multiple data residency locations.

    3.

    The projects are aligned to specific locations.

    You plan to use the Resource Location Restriction organization policy constraint with very granular control. At which level in the hierarchy should you set the constraint?

    A. Organization
    B. Resource
    C. Project
    D. Folder

  • Question 39:

    You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.

    What should you do?

    A. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate one-way sync.
    B. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate bidirectional sync.
    C. Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
    D. Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.

  • Question 40:

    Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.

    What should you do?

    A. Store the data in a single Persistent Disk, and delete the disk at expiration time.
    B. Store the data in a single BigQuery table and set the appropriate table expiration time.
    C. Store the data in a Cloud Storage bucket, and configure the bucket's Object Lifecycle Management feature.
    D. Store the data in a single BigTable table and set an expiration time on the column families.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.