• Home
  • Articles
  • [2022] Pass Google Professional-Cloud-Security-Engineer Exam Updated 178 Questions [Q105-Q127]

[2022] Pass Google Professional-Cloud-Security-Engineer Exam Updated 178 Questions [Q105-Q127]

Share

[2022] Pass Google Professional-Cloud-Security-Engineer Exam Updated 178 Questions

Get 2022 Updated Free Google Professional-Cloud-Security-Engineer Exam Questions and Answer


Preparation Options

Preparing for the certification exam, you do not have to make a long search for the right study materials as everything you need is located on the official website. The most effective way to study for the Google Professional Cloud Security Engineer test is to follow the learning path available on the vendor’s platform. The Security Engineer learning path consists of a number of courses and hands-on labs covering each aspect of the exam. You will learn the best practices in Cloud security and how the Google Cloud security model can help you protect your technology stack.

The official platform also provides the learners with a variety of additional resources such as Google Cloud documentation and Google Cloud solutions. At the end of your preparation, use the sample questions to evaluate your readiness for the upcoming exam.


Target Audience

The potential candidates for this certification are the Cloud security engineers who have proficiency in different areas of Cloud Security. They include the definition of organizational policies and structures as well as management of identity & access with the use of the Google technologies to offer data protection. Besides that, they should also have the skills in network security defense configuration, collection and analysis of Google management of incident responses, and the understanding of regulatory issues.

 

NEW QUESTION 105
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?

  • A. Migrate the application into an isolated project using a "Lift & Shift" approach in a custom network.
    Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
  • B. Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • C. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project. Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
  • D. Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Answer: B

 

NEW QUESTION 106
Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

  • A. Configure packet mirroring policies.
  • B. Define an organization policy constraint.
  • C. Monitor and analyze Cloud Audit Logs.
  • D. Enable VPC Flow Logs on the subnet.

Answer: D

 

NEW QUESTION 107
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?

  • A. VPC peering between all engineering projects using a hub and spoke model
  • B. Grant Compute Admin role to the networking team for each engineering project
  • C. Cloud VPN Gateway between all engineering projects using a hub and spoke model
  • D. Shared VPC Network with a host project and service projects

Answer: D

Explanation:
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise- organizations#centralize_network_control

 

NEW QUESTION 108
A customer's company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions.
Which strategy should you use to meet these needs?

  • A. Create an organization node, and assign folders for each business unit.
  • B. Assign GCP resources in a VPC for each business unit to separate network access.
  • C. Establish standalone projects for each business unit, using gmail.com accounts.
  • D. Assign GCP resources in a project, with a label identifying which business unit owns the resource.

Answer: A

 

NEW QUESTION 109
You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?

  • A. Perform data inspection with the DLP API and store that data in BigQuery for later use.
  • B. Perform data masking with the DLP API and store that data in BigQuery for later use.
  • C. Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
  • D. Perform data redaction with the DLP API and store that data in BigQuery for later use.

Answer: A

Explanation:
Explanation/Reference: https://towardsdatascience.com/bigquery-pii-and-cloud-data-loss-prevention-dlp-take-it-to-the-next- level-with-data-catalog-c47c31bcf677

 

NEW QUESTION 110
Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.
What should you do?

  • A. Update the permissions of another existing service account and supply those credentials to the applications.
  • B. Use the undelete command to recover the deleted service account.
  • C. Create a new service account with the same name as the deleted service account.
  • D. Temporarily disable authentication on the Cloud Storage bucket.

Answer: B

Explanation:
Reference:
https://cloud.google.com/iam/docs/creating-managing-service- accounts#undeleting_a_service_account

 

NEW QUESTION 111
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.
Which connectivity option should be implemented?

  • A. Shared VPC
  • B. Cloud VPN
  • C. VPC peering
  • D. Cloud Interconnect

Answer: B

 

NEW QUESTION 112
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)

  • A. IP Forwarding
  • B. Private Google Access
  • C. Static routes
  • D. IAM Network User Role
  • E. Public IP

Answer: B,C

Explanation:
https://cloud.google.com/vpc/docs/configure-private-google-access

 

NEW QUESTION 113
You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B.
You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?

  • A. Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
  • B. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
  • C. Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.
  • D. Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.

Answer: A

 

NEW QUESTION 114
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization's production environment will remain on-premises for an indefinite time. The organization wants a scalable and cost-efficient solution.
Which GCP solution should the organization use?

  • A. BigQuery using a data pipeline job with continuous updates
  • B. Cloud Storage using a scheduled task and gsutil
  • C. Cloud Datastore using regularly scheduled batch upload jobs
  • D. Compute Engine Virtual Machines using Persistent Disk

Answer: A

 

NEW QUESTION 115
You are the Security Admin in your company. You want to synchronize all security groups that have an email address from your LDAP directory in Cloud IAM.
What should you do?

  • A. Use a management tool to sync the subset based on the email address attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
  • B. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate one-way sync.
  • C. Use a management tool to sync the subset based on group object class attribute. Create a group in the Google domain. A group created in a Google domain will automatically have an explicit Google Cloud Identity and Access Management (IAM) role.
  • D. Configure Google Cloud Directory Sync to sync security groups using LDAP search rules that have "user email address" as the attribute to facilitate bidirectional sync.

Answer: B

 

NEW QUESTION 116
A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?

  • A. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
  • B. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
  • C. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
  • D. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Answer: D

Explanation:
Reference:
https://cloud.google.com/storage/docs/encryption/customer-supplied-keys

 

NEW QUESTION 117
A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)

  • A. Turn off IP forwarding on the Compute Engine instances in the cluster.
  • B. Configure Private Google Access on the Compute Engine subnet
  • C. Configure a Cloud NAT gateway.
  • D. Avoid assigning public IP addresses to the Compute Engine cluster.
  • E. Make sure that the Compute Engine cluster is running on a separate subnet.

Answer: C,D

 

NEW QUESTION 118
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted dat a. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • B. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
  • C. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
  • D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Explanation:
Reference:
https://cloud.google.com/security-scanner/docs/remediate-findings

 

NEW QUESTION 119
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

  • A. BigQuery using a data pipeline job with continuous updates via Cloud VPN
  • B. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
  • C. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
  • D. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

Answer: C

Explanation:
https://cloud.google.com/solutions/migration-to-google-cloud-building-your-foundation

 

NEW QUESTION 120
A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.
What should you do?

  • A. Use Forseti Security to automate inventory snapshots.
  • B. Use Resource Manager on the organization level.
  • C. Use Stackdriver to create a dashboard across all projects.
  • D. Use Security Command Center to view all assets across the organization.

Answer: A

Explanation:
Only Forseti security can have both 'past' and 'present' (i.e. historical) records of the resources. https://forsetisecurity.org/about/

 

NEW QUESTION 121
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?

  • A. Security Assertion Markup Language (SAML)
  • B. Google Cloud Directory Sync (GCDS)
  • C. Cloud Identity
  • D. Pub/Sub

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction

 

NEW QUESTION 122
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

  • A. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
  • B. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
  • C. BigQuery using a data pipeline job with continuous updates via Cloud VPN
  • D. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

Answer: C

 

NEW QUESTION 123
You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

  • A. VPC Flow Logs
  • B. Firewall Rules Logging
  • C. Security Command Center
  • D. Firewall Insights

Answer: D

 

NEW QUESTION 124
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • B. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
  • C. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
  • D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Explanation:
https://cloud.google.com/security-scanner/docs/remediate-findings

 

NEW QUESTION 125
Which two implied firewall rules are defined on a VPC network? (Choose two.)

  • A. A rule that blocks all inbound port 25 connections
  • B. A rule that denies all inbound connections
  • C. A rule that allows all outbound connections
  • D. A rule that blocks all outbound connections
  • E. A rule that allows all inbound port 80 connections

Answer: B,C

 

NEW QUESTION 126
While migrating your organization's infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?

  • A. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • B. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
  • C. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
  • D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.

Answer: A

 

NEW QUESTION 127
......


What is the test fee for GoogleProfessional Cloud Security Engineer Exam

  • The cost of GoogleProfessional Cloud Security Engineer Exam is $200.

 

Verified Professional-Cloud-Security-Engineer exam dumps Q&As with Correct 178 Questions and Answers: https://lead2pass.testvalid.com/Professional-Cloud-Security-Engineer-valid-exam-test.html

Related Articles

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam

Copyright © 2026 TestValid NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy