PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 41:

    Your company is moving to Google Cloud. You plan to sync your users first by using Google Cloud Directory Sync (GCDS). Some employees have already created Google Cloud accounts by using their company email addresses that were created outside of GCDS. You must create your users on Cloud Identity.

    What should you do?

    A. Configure GCDS and use GCDS search rules lo sync these users.
    B. Use the transfer tool to migrate unmanaged users.
    C. Write a custom script to identify existing Google Cloud users and call the Admin SDK Directory API to transfer their account.
    D. Configure GCDS and use GCDS exclusion rules to ensure users are not suspended.

  • Question 42:

    You are creating a secure network architecture. You must fully isolate development and production environments, and prevent any network traffic between the two environments. The network team requires that there is only one central entry point to the cloud network from the on-premises environment. What should you do?

    A. Create one Virtual Private Cloud (VPC) network per environment. Add the on-premises entry point to the production VPC. Peer the VPCs with each other and create firewall rules to prevent traffic.
    B. Create one shared Virtual Private Cloud (VPC) network and use it as the entry point to the cloud network. Create separate subnets per environment. Create firewall rules to prevent traffic.
    C. Create one Virtual Private Cloud (VPC) network per environment. Create a VPC Service Controls perimeter per environment and add one environment VPC to each.
    D. Create one Virtual Private Cloud (VPC) network per environment. Create one additional VPC for the entry point to the cloud network. Peer the entry point VPC with the environment VPCs.

  • Question 43:

    A company has redundant mail servers in different Google Cloud Platform regions and wants to route customers to the nearest mail server based on location. How should the company accomplish this?

    A. Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.
    B. Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.
    C. Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.
    D. Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

  • Question 44:

    You want to make sure that your organization's Cloud Storage buckets cannot have data publicly available to the internet. You want to enforce this across all Cloud Storage buckets. What should you do?

    A. Remove Owner roles from end users, and configure Cloud Data Loss Prevention.
    B. Remove Owner roles from end users, and enforce domain restricted sharing in an organization policy.
    C. Configure uniform bucket-level access, and enforce domain restricted sharing in an organization policy.
    D. Remove *.setIamPolicy permissions from all roles, and enforce domain restricted sharing in an organization policy.

  • Question 45:

    After completing a security vulnerability assessment, you learned that cloud administrators leave Google Cloud CLI sessions open for days. You need to reduce the risk of attackers who might exploit these open sessions by setting these sessions to the minimum duration.

    What should you do?

    A. Set the session duration for the Google session control to one hour.
    B. Set the reauthentication frequency (or the Google Cloud Session Control to one hour.
    C. Set the organization policy constraint constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.
    D. Set the organization policy constraint constraints/iam. serviceAccountKeyExpiryHours to one hour and inheritFromParent to false.

  • Question 46:

    You are asked to recommend a solution to store and retrieve sensitive configuration data from an application that runs on Compute Engine. Which option should you recommend?

    A. Cloud Key Management Service
    B. Compute Engine guest attributes
    C. Compute Engine custom metadata
    D. Secret Manager

  • Question 47:

    You have stored company approved compute images in a single Google Cloud project that is used as an image repository. This project is protected with VPC Service Controls and exists in the perimeter along with other projects in your organization. This lets other projects deploy images from the image repository project. A team requires deploying a third-party disk image that is stored in an external Google Cloud organization. You need to grant read access to the disk image so that it can be deployed into the perimeter.

    What should you do?

    A. Allow the external project by using the organizational policy, constraints/compute.trustedImageProjects.
    B. 1. Update the perimeter. 2. Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com. 3. Configure the egressFrom field to set identityType to ANY_IDENTITY
    C. 1. Update the perimeter. 2. Configure the ingressFrom field to set identityType to ANY_IDENTITY. 3. Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.
    D. 1. Update the perimeter. 2. Configure the egressTo field to set identityType to ANY_IDENTITY. 3. Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.

  • Question 48:

    Your organization operates in a highly regulated industry and needs to implement strict controls around temporary access to sensitive Google Cloud resources. You have been using Access Approval to manage this access, but your compliance team has mandated the use of a custom signing key. Additionally, they require that the key be stored in a hardware security module (HSM) located outside Google Cloud. You need to configure Access Approval to use a custom signing key that meets the compliance requirements. What should you do?

    A. Create a new asymmetric signing key in Cloud Key Management System (Cloud KMS) using a supported algorithm and grant the Access Approval service account the IAM signerVerifier role on the key.
    B. Export your existing Access Approval signing key as a PEM file. Upload the file to your external HSM and reconfigure Access Approval to use the key from the HSM.
    C. Create a signing key in your external HSM. Integrate the HSM with Cloud External Key Manager (Cloud EKM) and make the key available within your project. Configure Access Approval to use this key.
    D. Create a new asymmetric signing key in Cloud KMS and configure the key with a rotation period of 30 days. Add the corresponding public key to your external HSM.

  • Question 49:

    In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

    A. Hardware
    B. Network Security
    C. Storage Encryption
    D. Access Policies
    E. Boot

  • Question 50:

    You are working with a client that is concerned about control of their encryption keys for sensitive data. The client does not want to store encryption keys at rest in the same cloud service provider (CSP) as the data that the keys are encrypting.

    Which Google Cloud encryption solutions should you recommend to this client? (Choose two.)

    A. Customer-supplied encryption keys.
    B. Google default encryption
    C. Secret Manager
    D. Cloud External Key Manager
    E. Customer-managed encryption keys

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.