Google Professional Cloud Security Engineer Google Cloud Certified – Professional Cloud Security Engineer Online Training
Google Professional Cloud Security Engineer Online Training
The questions for Professional Cloud Security Engineer were last updated at Feb 18,2025.
- Exam Code: Professional Cloud Security Engineer
- Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
- Certification Provider: Google
- Latest update: Feb 18,2025
A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator. Analysts should only have access to logs that do not contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?
- A . Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.
- B . Upload the logs to both the shared bucket and the bucket only accessible by the administrator.
Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII. - C . On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.
- D . On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.
A customer terminates an engineer and needs to make sure the engineer’s Google account is automatically deprovisioned.
What should the customer do?
- A . Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.
- B . Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.
- C . Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.
- D . Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well-established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the “source of truth” directory for identities.
Which solution meets the organization’s requirements?
- A . Google Cloud Directory Sync (GCDS)
- B . Cloud Identity
- C . Security Assertion Markup Language (SAML)
- D . Pub/Sub
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?
- A . ISO 27001
- B . ISO 27002
- C . ISO 27017
- D . ISO 27018
You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
What should you do?
- A . Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
- B . Create a custom role with the permission compute.instances.list and grant the Service Account this role.
- C . Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
- D . Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)
- A . Hardware
- B . Network Security
- C . Storage Encryption
- D . Access Policies
- E . Boot
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization’s on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?
- A . BigQuery using a data pipeline job with continuous updates via Cloud VPN
- B . Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
- C . Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
- D . Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
What are the steps to encrypt data using envelope encryption?
- A . Generate a data encryption key (DEK) locally.
Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
Store the encrypted data and the wrapped KEK. - B . Generate a key encryption key (KEK) locally.
Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
Store the encrypted data and the wrapped DEK. - C . Generate a data encryption key (DEK) locally.
Encrypt data with the DEK.
Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK. - D . Generate a key encryption key (KEK) locally.
Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
Store the encrypted data and the wrapped DEK.
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication
Which GCP product should the customer implement to meet these requirements?
- A . Cloud Identity-Aware Proxy
- B . Cloud Armor
- C . Cloud Endpoints
- D . Cloud VPN
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?
- A . Use the Cloud Key Management Service to manage a data encryption key (DEK).
- B . Use the Cloud Key Management Service to manage a key encryption key (KEK).
- C . Use customer-supplied encryption keys to manage the data encryption key (DEK).
- D . Use customer-supplied encryption keys to manage the key encryption key (KEK).
Latest Professional Cloud Security Engineer Dumps Valid Version with 93 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
