Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified Questions and Answers

Question # 14

Which two implied firewall rules are defined on a VPC network? (Choose two.)

Options:

A.

A rule that allows all outbound connections

B.

A rule that denies all inbound connections

C.

A rule that blocks all inbound port 25 connections

D.

A rule that blocks all outbound connections

E.

A rule that allows all inbound port 80 connections

Buy Now
Question # 15

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.

Which two settings must remain disabled to meet these requirements? (Choose two.)

Options:

A.

Public IP

B.

IP Forwarding

C.

Private Google Access

D.

Static routes

E.

IAM Network User Role

Buy Now
Question # 16

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.

Which two steps should the company take to meet these requirements? (Choose two.)

Options:

A.

Create a project with multiple VPC networks for each environment.

B.

Create a folder for each development and production environment.

C.

Create a Google Group for the Engineering team, and assign permissions at the folder level.

D.

Create an Organizational Policy constraint for each folder environment.

E.

Create projects for each environment, and grant IAM rights to each engineering user.

Buy Now
Question # 17

Your organization leverages folders to represent different teams within your Google Cloud environment. To support Infrastructure as Code (IaC) practices, each team receives a dedicated service account upon onboarding. You want to ensure that teams have comprehensive permissions to manage resources within their assigned folders while adhering to the principle of least privilege. You must design the permissions for these team-based service accounts in the most effective way possible. What should you do?​

Options:

A.

Grant each service account the folder administrator role on its respective folder.​

B.

Grant each service account the project creator role at the organization level and use folder-level IAM conditions to restrict project creation to specific folders.​Reddit

C.

Assign each service account the project editor role at the organization level and instruct teams to use IAM bindings at the folder level for fine-grained permissions.​

D.

Assign each service account the folder IAM administrator role on its respective folder to allow teams to create and manage additional custom roles if needed.​

Buy Now
Question # 18

You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:

    The master key must be rotated at least once every 45 days.

    The solution that stores the master key must be FIPS 140-2 Level 3 validated.

    The master key must be stored in multiple regions within the US for redundancy.

Which solution meets these requirements?

Options:

A.

Customer-managed encryption keys with Cloud Key Management Service

B.

Customer-managed encryption keys with Cloud HSM

C.

Customer-supplied encryption keys

D.

Google-managed encryption keys

Buy Now
Question # 19

When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

Options:

A.

Ensure that the app does not run as PID 1.

B.

Package a single app as a container.

C.

Remove any unnecessary tools not needed by the app.

D.

Use public container images as a base image for the app.

E.

Use many container image layers to hide sensitive information.

Buy Now
Question # 20

An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.

Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses

Which solution should your team implement to meet these requirements?

Options:

A.

Cloud Armor

B.

Network Load Balancing

C.

SSL Proxy Load Balancing

D.

NAT Gateway

Buy Now
Question # 21

Your company's users access data in a BigQuery table. You want to ensure they can only access the data during working hours.

What should you do?

Options:

A.

Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.

B.

Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.

C.

Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours

D.

Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.

Buy Now
Question # 22

Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.

What should you do?

Options:

A.

Temporarily disable authentication on the Cloud Storage bucket.

B.

Use the undelete command to recover the deleted service account.

C.

Create a new service account with the same name as the deleted service account.

D.

Update the permissions of another existing service account and supply those credentials to the applications.

Buy Now
Question # 23

A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.

What should they do?

Options:

A.

Use Cloud Build to build the container images.

B.

Build small containers using small base images.

C.

Delete non-used versions from Container Registry.

D.

Use a Continuous Delivery tool to deploy the application.

Buy Now
Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
Last Update: Apr 1, 2025
Questions: 249
Professional-Cloud-Security-Engineer pdf

Professional-Cloud-Security-Engineer PDF

$25.5  $84.99
Professional-Cloud-Security-Engineer Engine

Professional-Cloud-Security-Engineer Testing Engine

$28.5  $94.99
Professional-Cloud-Security-Engineer PDF + Engine

Professional-Cloud-Security-Engineer PDF + Testing Engine

$40.5  $134.99