Google Professional Cloud Security Engineer Google Cloud Certified – Professional Cloud Security Engineer Online Training
Google Professional Cloud Security Engineer Online Training
The questions for Professional Cloud Security Engineer were last updated at Feb 10,2025.
- Exam Code: Professional Cloud Security Engineer
- Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
- Certification Provider: Google
- Latest update: Feb 10,2025
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?
- A . Create a Folder per department under the Organization. For each department’s Folder, assign the Project Viewer role to the Google Group related to that department.
- B . Create a Folder per department under the Organization. For each department’s Folder, assign the Project Browser role to the Google Group related to that department.
- C . Create a Project per department under the Organization. For each department’s Project, assign the Project Viewer role to the Google Group related to that department.
- D . Create a Project per department under the Organization. For each department’s Project, assign the Project Browser role to the Google Group related to that department.
A customer’s internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?
- A . Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
- B . Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.
- C . Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
- D . Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.
Which two steps should the company take to meet these requirements? (Choose two.)
- A . Create a project with multiple VPC networks for each environment.
- B . Create a folder for each development and production environment.
- C . Create a Google Group for the Engineering team, and assign permissions at the folder level.
- D . Create an Organizational Policy constraint for each folder environment.
- E . Create projects for each environment, and grant IAM rights to each engineering user.
You want to evaluate GCP for PCI compliance. You need to identify Google’s inherent controls.
Which document should you review to find the information?
- A . Google Cloud Platform: Customer Responsibility Matrix
- B . PCI DSS Requirements and Security Assessment Procedures
- C . PCI SSC Cloud Computing Guidelines
- D . Product documentation for Compute Engine
Your company runs a website that will store PII on Google Cloud Platform. To comply with data privacy regulations, this data can only be stored for a specific amount of time and must be fully deleted after this specific period. Data that has not yet reached the time period should not be deleted. You want to automate the process of complying with this regulation.
What should you do?
- A . Store the data in a single Persistent Disk, and delete the disk at expiration time.
- B . Store the data in a single BigQuery table and set the appropriate table expiration time.
- C . Store the data in a Cloud Storage bucket, and configure the bucket’s Object Lifecycle Management feature.
- D . Store the data in a single BigTable table and set an expiration time on the column families.
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?
- A . Use Cloud Build to build the container images.
- B . Build small containers using small base images.
- C . Delete non-used versions from Container Registry.
- D . Use a Continuous Delivery tool to deploy the application.
While migrating your organization’s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password.
What should you do?
- A . Manually synchronize the data in Google domain with your existing Active Directory or LDAP server.
- B . Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server.
- C . Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider.
- D . Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console.
Your company is using GSuite and has developed an application meant for internal usage on Google App Engine. You need to make sure that an external user cannot gain access to the application even when an employee’s password has been compromised.
What should you do?
- A . Enforce 2-factor authentication in GSuite for all users.
- B . Configure Cloud Identity-Aware Proxy for the App Engine Application.
- C . Provision user passwords using GSuite Password Sync.
- D . Configure Cloud VPN between your private network and GCP.
A large financial institution is moving its Big Data analytics to Google Cloud Platform. They want to have maximum control over the encryption process of data stored at rest in BigQuery.
What technique should the institution use?
- A . Use Cloud Storage as a federated Data Source.
- B . Use a Cloud Hardware Security Module (Cloud HSM).
- C . Customer-managed encryption keys (CMEK).
- D . Customer-supplied encryption keys (CSEK).
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?
- A . Cloud Bigtable
- B . Cloud BigQuery
- C . Compute Engine SSD Disk
- D . Compute Engine Persistent Disk
Latest Professional Cloud Security Engineer Dumps Valid Version with 93 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
