PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 71:

    You manage your organization's Security Operations Center (SOC). You currently monitor and detect network traffic anomalies in your VPCs based on network logs. However, you want to explore your environment using network payloads and headers. Which Google Cloud product should you use?

    A. Cloud IDS
    B. VPC Service Controls logs
    C. VPC Flow Logs
    D. Google Cloud Armor
    E. Packet Mirroring

  • Question 72:

    Your organization's use of the Google Cloud has grown substantially and there are many different groups using different cloud resources independently. You must identify common misconfigurations and compliance violations across the organization and track findings for remedial action in a dashboard. What should you do?

    A. Create a filter set in Cloud Asset Inventory to identify service accounts with high privileges and IAM principals with Gmail domains.
    B. Scan and alert vulnerabilities and misconfigurations by using Secure Health Analytics detectors in Security Command Center Premium.
    C. Set up filters on Cloud Audit Logs to flag log entries for specific, risky API calls, and display the calls in a Cloud Log Analytics dashboard.
    D. Alert and track emerging attacks detected in your environment by using Event Threat Detection detectors.

  • Question 73:

    A security audit uncovered several inconsistencies in your project's Identity and Access Management (IAM) configuration. Some service accounts have overly permissive roles, and a few external collaborators have more access than necessary. You need to gain detailed visibility into changes to IAM policies, user activity, service account behavior, and access to sensitive projects. What should you do?

    A. Configure Google Cloud Functions to be triggered by changes to IAM policies. Analyze changes by using the policy simulator, send alerts upon risky modifications, and store event details.
    B. Enable the metrics explorer in Cloud Monitoring to follow the service account authentication events and build alerts linked on it.
    C. Use Cloud Audit Logs. Create log export sinks to send these logs to a security information and event management (SIEM) solution for correlation with other event sources.
    D. Deploy the OS Config Management agent to your VMs. Use OS Config Management to create patch management jobs and monitor system modifications.

  • Question 74:

    Your organization operates in a highly regulated industry and uses multiple Google Cloud services. You need to identify potential risks to regulatory compliance. Which situation introduces the greatest risk?

    A. The security team mandates the use of customer-managed encryption keys (CMEK) for all data classified as sensitive.
    B. Sensitive data is stored in a Cloud Storage bucket with the uniform bucket-level access setting enabled.
    C. The audit team needs access to Cloud Audit Logs related to managed services like BigQuery.
    D. Principals have broad IAM roles allowing the creation and management of Compute Engine VMs without a pre-defined hardening process.

  • Question 75:

    You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)

    A. Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.
    B. Disable any Identity and Access Management (IAM) roles for super admin at the organization level in the Google Cloud Console.
    C. Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).
    D. Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.
    E. Provide non-privileged identities to the super admin users for their day-to-day activities.

  • Question 76:

    You need to implement an encryption at-rest strategy that reduces key management complexity for non- sensitive data and protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule. FIPS 140-2

    L1 compliance is required for all data types.

    What should you do?

    A. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
    B. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service
    C. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
    D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

  • Question 77:

    Your application is deployed as a highly available cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.

    What should you do?

    A. Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified time interval.
    B. Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.
    C. Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.
    D. Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

  • Question 78:

    As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.

    Which cost reduction options should you recommend?

    A. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
    B. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
    C. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
    D. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

  • Question 79:

    Your organization wants to be General Data Protection Regulation (GDPR) compliant. You want to ensure that your DevOps teams can only create Google Cloud resources in the Europe regions.

    What should you do?

    A. Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.
    B. Use the org policy constraint 'Google Cloud Platform - Resource Location Restriction' on your Google Cloud organization node.
    C. Use the org policy constraint 'Restrict Resource Service Usage' on your Google Cloud organization node.
    D. Use Identity and Access Management (IAM) custom roles to ensure that your DevOps team can only create resources in the Europe regions.

  • Question 80:

    You are managing a Google Cloud environment that is organized into folders that represent different teams. These teams need the flexibility to modify organization policies relevant to their work. You want to grant the teams the necessary permissions while upholding Google-recommended security practices and minimizing administrative complexity. What should you do?

    A. Create a custom IAM role with the organization policy administrator permission and grant the permission to each team's folder. Limit policy modifications based on folder names within the custom role's definition.
    B. Assign the organization policy administrator role to a central service account and provide teams with the credentials to use the service account when needed.
    C. Create an organization-level tag. Attach the tag to relevant folders. Use an IAM condition to restrict the organization policy administrator role to resources with that tag.
    D. Grant each team the organization policy administrator role at the organization level.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.