PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-SECURITY-ENGINEER
  • Exam Name
    :Professional Cloud Security Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :324 Q&As
  • Last Updated
    :Jul 15, 2026

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Questions & Answers

  • Question 81:

    Your development team is launching a new application. The new application has a microservices architecture on Compute Engine instances and serverless components, including Cloud Functions. This application will process financial transactions that require temporary, highly sensitive data in memory. You need to secure data in use during computations with a focus on minimizing the risk of unauthorized access to memory for this financial application. What should you do?

    A. Enable Confidential VM instances for Compute Engine, and ensure that relevant Cloud Functions can leverage hardware-based memory isolation.
    B. Use data masking and tokenization techniques on sensitive financial data fields throughout the application and the application's data processing workflows.
    C. Use the Cloud Data Loss Prevention (Cloud DLP) API to scan and mask sensitive data before feeding the data into any compute environment.
    D. Store all sensitive data during processing in Cloud Storage by using customer-managed encryption keys (CMEK), and set strict bucket-level permissions.

  • Question 82:

    A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.

    What should you do to meet these requirements?

    A. Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
    B. Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.
    C. Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.
    D. Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.

  • Question 83:

    You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is

    now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project.

    How should you make an exception for your partner's domain while following the stated best practices?

    A. Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."
    B. Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.
    C. Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.
    D. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

  • Question 84:

    An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.

    Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses

    Which solution should your team implement to meet these requirements?

    A. Cloud Armor
    B. Network Load Balancing
    C. SSL Proxy Load Balancing
    D. NAT Gateway

  • Question 85:

    You are auditing all your Google Cloud resources in the production project. You want to identity all principals who can change firewall rules. What should you do?

    A. Use Policy Analyzer lo query the permissions compute, firewalls, create of compute, firewalls. Create of compute,firewalls.delete.
    B. Reference the Security Health Analytics - Firewall Vulnerability Findings in the Security Command Center.
    C. Use Policy Analyzer to query the permissions compute, firewalls, get of compute, firewalls, list.
    D. Use Firewall Insights to understand your firewall rules usage patterns.

  • Question 86:

    Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

    A. Use Identity Platform to provision users and groups to Google Cloud.
    B. Use Cloud Identity SAML integration to provision users and groups to Google Cloud.
    C. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.
    D. Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.
    E. Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.

  • Question 87:

    Your organization has applications that run in multiple clouds. The applications require access to a Google Cloud resource running in your project. You must use short-lived access credentials to maintain security across the clouds. What should you do?

    A. Create a managed workload identity. Bind an attested identity to the Compute Engine workload.
    B. Create a service account key. Download the key to each application that requires access to the Google Cloud resource.
    C. Create a workload identity pool with a workload identity provider for each external cloud. Set up a service account and add an IAM binding for impersonation.
    D. Create a VPC firewall rule for ingress traffic with an allowlist of the IP ranges of the external cloud applications.

  • Question 88:

    You have been tasked with implementing external web application protection against common web application attacks for a public application on Google Cloud. You want to validate these policy changes before they are enforced. What service should you use?

    A. Google Cloud Armor's preconfigured rules in preview mode
    B. Prepopulated VPC firewall rules in monitor mode
    C. The inherent protections of Google Front End (GFE)
    D. Cloud Load Balancing firewall rules
    E. VPC Service Controls in dry run mode

  • Question 89:

    Your organization is building a chatbot that is powered by generative AI to deliver automated conversations with internal employees. You must ensure that no data with personally identifiable information (PII) is communicated through the chatbot. What should you do?

    A. Encrypt data at rest for both input and output by using Cloud KMS, and apply least privilege access to the encryption keys.
    B. Discover and transform PII data in both input and output by using the Cloud Data Loss Prevention (Cloud DLP) API.
    C. Prevent PII data exfiltration by using VPC-SC to create a safe scope around your chatbot.
    D. Scan both input and output by using data encryption tools from the Google Cloud Marketplace.

  • Question 90:

    A team at your organization collects logs in an on-premises security information and event management system (SIEM). You must provide a subset of Google Cloud logs for the SIEM, and minimize the risk of data exposure in your cloud environment. What should you do?

    A. Create a new BigQuery dataset. Stream all logs to this dataset. Provide the on-premises SIEM system access to the data in BigQuery by using workload identity federation and let the SIEM team filter for the relevant log data.
    B. Define a log view for the relevant logs. Provide access to the log view to a principal from your on-premises identity provider by using workforce identity federation.
    C. Create a log sink for the relevant logs. Send the logs to Pub/Sub. Retrieve the logs from Pub/Sub and push the logs to the SIEM by using Dataflow.
    D. Filter for the relevant logs. Store the logs in a Cloud Storage bucket. Grant the service account access to the bucket. Provide the service account key to the SIEM team.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.