Google Professional Cloud Security Engineer Google Cloud Certified – Professional Cloud Security Engineer Online Training
Google Professional Cloud Security Engineer Online Training
The questions for Professional Cloud Security Engineer were last updated at Feb 16,2025.
- Exam Code: Professional Cloud Security Engineer
- Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
- Certification Provider: Google
- Latest update: Feb 16,2025
A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer’s browser and GCP when the customers checkout online.
What should they do?
- A . Configure an SSL Certificate on an L7 Load Balancer and require encryption.
- B . Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
- C . Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.
- D . Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.
Applications often require access to “secrets” – small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of “who did what, where, and when?” within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)
- A . Admin Activity logs
- B . System Event logs
- C . Data Access logs
- D . VPC Flow logs
- E . Agent logs
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk.
What should you do?
- A . Migrate the application into an isolated project using a “Lift & Shift” approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the
application to work properly. - B . Migrate the application into an isolated project using a “Lift & Shift” approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.
- C . Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
- D . Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.
Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.
Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.
What type of Load Balancing should you use?
- A . Network Load Balancing
- B . HTTP(S) Load Balancing
- C . TCP Proxy Load Balancing
- D . SSL Proxy Load Balancing
You want to limit the images that can be used as the source for boot disks. These images will be stored in a dedicated project.
What should you do?
- A . Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
- B . Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
- C . In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
- D . In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester.
Which two tasks should your team perform to handle this request? (Choose two.)
- A . Remove all users from the Project Creator role at the organizational level.
- B . Create an Organization Policy constraint, and apply it at the organizational level.
- C . Grant the Project Editor role at the organizational level to a designated group of users.
- D . Add a designated group of users to the Project Creator role at the organizational level.
- E . Grant the billing account creator role to the designated DevOps team.
A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.
How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?
- A . Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.
- B . Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.
- C . Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).
- D . Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.
How should your team design this network?
- A . Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
- B . Create a different subnet for the frontend application and database to ensure network isolation.
- C . Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
- D . Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
An organization receives an increasing number of phishing emails.
Which method should be used to protect employee credentials in this situation?
- A . Multifactor Authentication
- B . A strict password policy
- C . Captcha on login pages
- D . Encrypted emails
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means.
Which connectivity option should be implemented?
- A . VPC peering
- B . Cloud VPN
- C . Cloud Interconnect
- D . Shared VPC
Latest Professional Cloud Security Engineer Dumps Valid Version with 93 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
