PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 51:

    Your organization heavily utilizes serverless applications while prioritizing security best practices. You are responsible for enforcing image provenance and compliance with security standards before deployment. You leverage Cloud Build as your continuous integration and continuous deployment (CI/CD) tool for building container images. You must configure Binary Authorization to ensure that only images built by your Cloud Build pipeline are deployed and that the images pass security standard compliance checks. What should you do?

    A. Create a Binary Authorization attestor that uses a scanner to assess source code management repositories. Deploy images only if the attestor validates results against a security policy.
    B. Create a Binary Authorization attestor that utilizes a scanner to evaluate container image build processes. Define a policy that requires deployment of images only if this attestation is present.
    C. Create a Binary Authorization attestor that retrieves the Cloud Build build ID of the container image. Configure a policy to allow deployment only if there's a matching build ID attestation.
    D. Utilize a custom Security Health Analytics module to create a policy. Enforce the policy through Binary Authorization to prevent deployment of images that do not meet predefined security standards.

  • Question 52:

    You manage one of your organization's Google Cloud projects (Project A). AVPC Service Control (SC) perimeter is blocking API access requests to this project including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least Privilege.

    What should you do?

    A. Configure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.
    B. Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.
    C. Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.
    D. Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

  • Question 53:

    You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)

    A. External Key Manager
    B. Customer-supplied encryption keys
    C. Hardware Security Module
    D. Confidential Computing and Istio
    E. Client-side encryption

  • Question 54:

    Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK), but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost.

    What should you do?

    A. Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.
    B. Encrypt the files locally, and then use gsutil to upload the files to a new bucket.
    C. Copy the files to a new bucket with CMEK enabled in a secondary region.
    D. Change the encryption type on the bucket to CMEK, and rewrite the objects.

  • Question 55:

    An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.

    Which Cloud Identity password guidelines can the organization use to inform their new requirements?

    A. Set the minimum length for passwords to be 8 characters.
    B. Set the minimum length for passwords to be 10 characters.
    C. Set the minimum length for passwords to be 12 characters.
    D. Set the minimum length for passwords to be 6 characters.

  • Question 56:

    Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale.

    What should you do?

    A. Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (IaC).
    B. Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.
    C. Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing.
    D. Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on- premises. Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.

  • Question 57:

    You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:

    1.

    Export related logs for all projects in the Google Cloud organization.

    2.

    Export logs in near real-time to an external SIEM.

    What should you do? (Choose two.)

    A. Create a Log Sink at the organization level with a Pub/Sub destination.
    B. Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.
    C. Enable Data Access audit logs at the organization level to apply to all projects.
    D. Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.
    E. Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

  • Question 58:

    Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).

    Which steps should your team take before an incident occurs? (Choose two.)

    A. Disable and revoke access to compromised keys.
    B. Enable automatic key version rotation on a regular schedule.
    C. Manually rotate key versions on an ad hoc schedule.
    D. Limit the number of messages encrypted with each key version.
    E. Disable the Cloud KMS API.

  • Question 59:

    An organization's typical network and security review consists of analyzing application transit routes, request handling, and firewall rules. They want to enable their developer teams to deploy new applications without the overhead of this full review.

    How should you advise this organization?

    A. Use Forseti with Firewall filters to catch any unwanted configurations in production.
    B. Mandate use of infrastructure as code and provide static analysis in the CI/CD pipelines to enforce policies.
    C. Route all VPC traffic through customer-managed routers to detect malicious patterns in production.
    D. All production applications will run on-premises. Allow developers free rein in GCP as their dev and QA platforms.

  • Question 60:

    Your EU-based organization stores both Personally Identifiable Information (PII) and non-PII data in Cloud Storage buckets across multiple Google Cloud regions. EU data privacy laws require that the PII data must not be stored outside of the EU. To help meet this compliance requirement, you want to detect if Cloud Storage buckets outside of the EU contain healthcare data. What should you do?

    A. Create a Sensitive Data Protection job. Specify the infoType of data to be detected and run the job across all Google Cloud Storage buckets.
    B. Create a log sink with a filter on resourceLocation.currentLocations. Trigger an alert if a log message appears with a non- EUcountry.
    C. Activate Security Command Center Premium. Use compliance monitoring to detect resources that do not follow the applicable healthcare regulation.
    D. Enforce the gcp.resourceLocations organization policy and add "EU" in a custom rule that only applies on resources with the tag "healthcare".

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.