Google Professional Cloud Security Engineer Google Cloud Certified – Professional Cloud Security Engineer Online Training
Google Professional Cloud Security Engineer Online Training
The questions for Professional Cloud Security Engineer were last updated at Feb 10,2025.
- Exam Code: Professional Cloud Security Engineer
- Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
- Certification Provider: Google
- Latest update: Feb 10,2025
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?
- A . Generalization
- B . Redaction
- C . CryptoHashConfig
- D . CryptoReplaceFfxFpeConfig
An organization adopts Google Cloud Platform (GCP) for application hosting services and needs guidance on setting up password requirements for their Cloud Identity account. The organization has a password policy requirement that corporate employee passwords must have a minimum number of characters.
Which Cloud Identity password guidelines can the organization use to inform their new requirements?
- A . Set the minimum length for passwords to be 8 characters.
- B . Set the minimum length for passwords to be 10 characters.
- C . Set the minimum length for passwords to be 12 characters.
- D . Set the minimum length for passwords to be 6 characters.
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?
- A . Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
- B . Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
- C . Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
- D . Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.
How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
- A . Send all logs to the SIEM system via an existing protocol such as syslog.
- B . Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.
- C . Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.
- D . Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.
In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.
Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)
- A . App Engine
- B . Cloud Functions
- C . Compute Engine
- D . Google Kubernetes Engine
- E . Cloud Storage
A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.
Which solution will restrict access to the in-progress sites?
- A . Upload an .htaccess file containing the customer and employee user accounts to App Engine.
- B . Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
- C . Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.
- D . Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company’s GCP Virtual Private Cloud (VPC) network.
When working with agents in a support center via online chat, an organization’s customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.
Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?
- A . Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
- B . Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
- C . Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
- D . Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts
before storing them for analysis.
A company’s application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.
What should you do?
- A . Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate –iam-account=IAM_ACCOUNT.
- B . Open Cloud Shell and run gcloud iam service-accounts keys rotate –iam- account=IAM_ACCOUNT –key=NEW_KEY.
- C . Create a new key, and use the new key in the application. Delete the old key from the Service Account.
- D . Create a new key, and use the new key in the application. Store the old key on the system as a backup key.
Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on-premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.
Which type of networking design should your team use to meet these requirements?
- A . Shared VPC Network with a host project and service projects
- B . Grant Compute Admin role to the networking team for each engineering project
- C . VPC peering between all engineering projects using a hub and spoke model
- D . Cloud VPN Gateway between all engineering projects using a hub and spoke model
An organization is migrating from their current on-premises productivity software systems to G Suite. Some network security controls were in place that were mandated by a regulatory body in their region for their previous on-premises system. The organization’s risk team wants to ensure that network security controls are maintained and effective in G Suite. A security architect supporting this migration has been asked to ensure that network security controls are in place as part of the new shared responsibility model between the organization and Google Cloud.
What solution would help meet the requirements?
- A . Ensure that firewall rules are in place to meet the required controls.
- B . Set up Cloud Armor to ensure that network security controls can be managed for G Suite.
- C . Network security is a built-in solution and Google’s Cloud responsibility for SaaS products like G Suite.
- D . Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.
Latest Professional Cloud Security Engineer Dumps Valid Version with 93 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
