Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name
:Professional Cloud Security Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:324 Q&As
Last Updated
:Jul 15, 2026
Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions &
Answers
Question 51:
Your organization heavily utilizes serverless applications while prioritizing security best practices. You are responsible for enforcing image provenance and compliance with security standards before deployment. You leverage Cloud Build as your continuous integration and continuous deployment (CI/CD) tool for building container images. You must configure Binary Authorization to ensure that only images built by your Cloud Build pipeline are deployed and that the images pass security standard compliance checks. What should you do?
A. Create a Binary Authorization attestor that uses a scanner to assess source code management repositories. Deploy images only if the attestor validates results against a security policy. B. Create a Binary Authorization attestor that utilizes a scanner to evaluate container image build processes. Define a policy that requires deployment of images only if this attestation is present. C. Create a Binary Authorization attestor that retrieves the Cloud Build build ID of the container image. Configure a policy to allow deployment only if there's a matching build ID attestation. D. Utilize a custom Security Health Analytics module to create a policy. Enforce the policy through Binary Authorization to prevent deployment of images that do not meet predefined security standards.
B. Create a Binary Authorization attestor that utilizes a scanner to evaluate container image build processes. Define a policy that requires deployment of images only if this attestation is present.
Question 52:
You manage one of your organization's Google Cloud projects (Project A). AVPC Service Control (SC) perimeter is blocking API access requests to this project including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least Privilege.
What should you do?
A. Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages. B. Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A. C. Create a perimeter bridge between Project A and Project B to allow the required communication between both projects. D. Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.
A. Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.
Question 53:
You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)
A. External Key Manager B. Customer-supplied encryption keys C. Hardware Security Module D. Confidential Computing and Istio E. Client-side encryption
D. Confidential Computing and Istio E. Client-side encryption
Explanation/Reference:
Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio. https://cloud.google.com/docs/security/encryption-in-transit
Question 54:
Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK), but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.
What should you do?
A. Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil. B. Encrypt the files locally, and then use gsutil to upload the files to a new bucket. C. Copy the files to a new bucket with CMEK enabled in a secondary region. D. Change the encryption type on the bucket to CMEK, and rewrite the objects.
D. Change the encryption type on the bucket to CMEK, and rewrite the objects.
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?
A. Set the minimum length for passwords to be 8 characters. B. Set the minimum length for passwords to be 10 characters. C. Set the minimum length for passwords to be 12 characters. D. Set the minimum length for passwords to be 6 characters.
A. Set the minimum length for passwords to be 8 characters.
Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.
What should you do?
A. Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (IaC). B. Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers. C. Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing. D. Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on- premises. Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.
B. Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.
Explanation/Reference:
Use a subordinate CA in the Google Certificate Authority Service from the on- premises PKI system to issue certificates for the load balancers.
This approach allows you to leverage your existing on-premises PKI infrastructure while minimizing its impact and manual processes. By creating a subordinate CA in Google's Certificate Authority Service, you can automate the process of issuing certificates for your HTTP load balancer frontends. This solution scales well as the number of load balancers increases.
Question 57:
You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:
1.
Export related logs for all projects in the Google Cloud organization.
2.
Export logs in near real-time to an external SIEM.
What should you do? (Choose two.)
A. Create a Log Sink at the organization level with a Pub/Sub destination. B. Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic. C. Enable Data Access audit logs at the organization level to apply to all projects. D. Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console. E. Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.
B. Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic. D. Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.
"Google Workspace Login Audit: Login Audit logs track user sign-ins to your domain. These logs only record the login event. They don't record which system was used to perform the login action."
Question 58:
Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).
Which steps should your team take before an incident occurs? (Choose two.)
A. Disable and revoke access to compromised keys. B. Enable automatic key version rotation on a regular schedule. C. Manually rotate key versions on an ad hoc schedule. D. Limit the number of messages encrypted with each key version. E. Disable the Cloud KMS API.
A. Disable and revoke access to compromised keys. B. Enable automatic key version rotation on a regular schedule. D. Limit the number of messages encrypted with each key version. E. Disable the Cloud KMS API.
Question 59:
An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.
How should you advise this organization?
A. Use Forseti with Firewall filters to catch any unwanted configurations in production. B. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies. C. Route all VPC traffic through customer-managed routers to detect malicious patterns in production. D. All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.
B. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.
Your EU-based organization stores both Personally Identifiable Information (PII) and non-PII data in Cloud Storage buckets across multiple Google Cloud regions. EU data privacy laws require that the PII data must not be stored outside of the EU. To help meet this compliance requirement, you want to detect if Cloud Storage buckets outside of the EU contain healthcare data. What should you do?
A. Create a Sensitive Data Protection job. Specify the infoType of data to be detected and run the job across all Google Cloud Storage buckets. B. Create a log sink with a filter on resourceLocation.currentLocations. Trigger an alert if a log message appears with a non- EUcountry. C. Activate Security Command Center Premium. Use compliance monitoring to detect resources that do not follow the applicable healthcare regulation. D. Enforce the gcp.resourceLocations organization policy and add "EU" in a custom rule that only applies on resources with the tag "healthcare".
A. Create a Sensitive Data Protection job. Specify the infoType of data to be detected and run the job across all Google Cloud Storage buckets.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.