Google Professional Cloud Security Engineer Google Cloud Certified – Professional Cloud Security Engineer Online Training
Google Professional Cloud Security Engineer Online Training
The questions for Professional Cloud Security Engineer were last updated at Feb 17,2025.
- Exam Code: Professional Cloud Security Engineer
- Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
- Certification Provider: Google
- Latest update: Feb 17,2025
Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs.
The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?
- A . Enable Private Access on the VPC network in the production project.
- B . Remove the Editor role and grant the Compute Admin IAM role to the engineers.
- C . Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
- D . Set up a VPC network with two subnets: one with public IPs and one without public IPs.
Which two security characteristics are related to the use of VPC peering to connect two VPC networks? (Choose two.)
- A . Central management of routes, firewalls, and VPNs for peered networks
- B . Non-transitive peered networks; where only directly peered networks can communicate
- C . Ability to peer networks that belong to different Google Cloud Platform organizations
- D . Firewall rules that can be created with a tag from one peered network to another peered network
- E . Ability to share specific subnets across peered networks
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?
- A . Use Puppet or Chef to push out the patch to the running container.
- B . Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
- C . Update the application code or apply a patch, build a new image, and redeploy it.
- D . Configure containers to automatically upgrade when the base image is available in Container Registry.
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery
What should you do?
- A . Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.
- B . Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
- C . Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
- D . Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.
A customer wants to deploy a large number of 3-tier web applications on Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?
- A . Run each tier in its own Project, and segregate using Project labels.
- B . Run each tier with a different Service Account (SA), and use SA-based firewall rules.
- C . Run each tier in its own subnet, and use subnet-based firewall rules.
- D . Run each tier with its own VM tags, and use tag-based firewall rules.
A manager wants to start retaining security event logs for 2 years while minimizing costs. You write a filter to select the appropriate log entries.
Where should you export the logs?
- A . BigQuery datasets
- B . Cloud Storage buckets
- C . StackDriver logging
- D . Cloud Pub/Sub topics
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on “in- scope” Nodes only. These Nodes can only contain the “in-scope” Pods.
How should the organization achieve this objective?
- A . Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
- B . Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
- C . Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
- D . Run all in-scope Pods in the namespace “in-scope-pci”.
In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard
Which options should you recommend to meet the requirements?
- A . Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.
- B . Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.
- C . Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients’ TLS connections.
- D . Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.
A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates.
What should your team do?
- A . Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
- B . Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
- C . Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
- D . Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.
You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?
- A . Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.
- B . Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.
- C . Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.
- D . Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.
Latest Professional Cloud Security Engineer Dumps Valid Version with 93 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
