PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 61:

    Your organization is worried about recent news headlines regarding application vulnerabilities in production applications that have led to security breaches. You want to automatically scan your deployment pipeline for vulnerabilities and ensure only scanned and verified containers can run in the environment. What should you do?

    A. Use Kubernetes role-based access control (RBAC) as the source of truth for cluster access by granting "container.clusters.get" to limited users. Restrict deployment access by allowing these users to generate a kubeconfig file containing the configuration access to the GKE cluster.
    B. Use gcloud artifacts docker images describe LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE_ID@sha256:HASH --show-package-vulnerabilityin your CI/CD pipeline, and trigger a pipeline failure for critical vulnerabilities.
    C. Enforce the use of Cloud Code for development so users receive real-time security feedback on vulnerable libraries and dependencies before they check in their code.
    D. Enable Binary Authorization and create attestations of scans.

  • Question 62:

    A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.

    Which connectivity option should be implemented?

    A. VPC peering
    B. Cloud VPN
    C. Cloud Interconnect
    D. Shared VPC

  • Question 63:

    A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application. The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud.

    What should you do?

    A. 1. Enable Container Threat Detection in the Security Command Center Premium tier. 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version. 3. View and share the results from the Security Command Center.
    B. 1. Use an open source tool in Cloud Build to scan the images. 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil. 3. Share the scan report link with your security department.
    C. 1. Enable vulnerability scanning in the Artifact Registry settings. 2. Use Cloud Build to build the images. 3. Push the images to the Artifact Registry for automatic scanning. 4. View the reports in the Artifact Registry.
    D. 1. Get a GitHub subscription. 2. Build the images in Cloud Build and store them in GitHub for automatic scanning. 3. Download the report from GitHub and share with the Security Team.

  • Question 64:

    You work for a financial organization in a highly regulated industry that is subject to active regulatory compliance. To meet compliance requirements, you need to continuously maintain a specific set of configurations, data residency, organizational policies, and personnel data access controls. What should you do?

    A. Apply an organizational policy constraint at the organization level to limit the location of new resource creation.
    B. Create an Assured Workloads folder for your required compliance program to apply defined controls and requirements.
    C. Go to the Compliance page in Security Command Center. View the report for your status against the required compliance standard. Triage violations to maintain compliance on a regular basis.
    D. Create a posture.yaml file with the required security compliance posture. Apply the posture with the gcloud scc postures create POSTURE_NAME --posture-from-file=posture.yaml command in Security Command Center Premium.

  • Question 65:

    You work for a large organization that recently implemented a 100GB Cloud Interconnect connection between your Google Cloud and your on-premises edge router. While routinely checking the connectivity, you noticed that the connection is operational but there is an error message that indicates MACsec is operationally down. You need to resolve this error. What should you do?

    A. Ensure that the Cloud Interconnect connection supports MACsec.
    B. Ensure that the on-premises router is not down.
    C. Ensure that the active pre-shared key created for MACsec is not expired on both the on-premises and Google edge routers.
    D. Ensure that the active pre-shared key matches on both the on-premises and Google edge routers.

  • Question 66:

    A customer has an analytics workload running on Compute Engine that should have limited internet access.

    Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.

    The Compute Engine instances now need to reach out to the public repository to get security updates.

    What should your team do?

    A. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
    B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
    C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
    D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

  • Question 67:

    You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

    A. Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
    B. Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/ iam.disableServiceAccountCreation organization policy at the project level.
    C. Create a custom service account for the cluster Enable the constraints/ iam.disableServiceAccountKeyCreation organization policy at the project level.
    D. Create a custom service account for the cluster Enable the constraints/ iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

  • Question 68:

    You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data Specifically, your company is concerned about internal Google employees' ability to access your company's data on Google Cloud. What solution should you propose?

    A. Use customer-managed encryption keys.
    B. Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.
    C. Enable Admin activity logs to monitor access to resources.
    D. Enable Access Transparency logs with Access Approval requests for Google employees.

  • Question 69:

    You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder.

    What could have caused this alert?

    A. The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.
    B. The organizational policy constraint wasn't properly enforced and is running in "dry run mode.
    C. At project level, the organizational policy control has been overwritten with an 'allow' value.
    D. The policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level.

  • Question 70:

    You are running code in Google Kubernetes Engine (GKE) containers in Google Cloud that require access to objects stored in a Cloud Storage bucket. You need to securely grant the Pods access to the bucket while minimizing management overhead. What should you do?

    A. Create a service account. Grant bucket access to the Pods by using Workload Identity Federation for GKE.
    B. Create a service account with keys. Store the keys in Secret Manager with a 30-day rotation schedule. Reference the keys in the Pods.
    C. Create a service account with keys. Store the keys as a Kubernetes secret. Reference the keys in the Pods.
    D. Create a service account with keys. Store the keys in Secret Manager. Reference the keys in the Pods.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.