Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

Professional-Cloud-Security-Engineer Exam Dumps - Google Cloud Certified Questions and Answers

Question # 4

What are the steps to encrypt data using envelope encryption?

Options:

A.

Generate a data encryption key (DEK) locally.

Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.

Store the encrypted data and the wrapped KEK.

B.

Generate a key encryption key (KEK) locally.

Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.

Store the encrypted data and the wrapped DEK.

C.

Generate a data encryption key (DEK) locally.

Encrypt data with the DEK.

Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.

D.

Generate a key encryption key (KEK) locally.

Generate a data encryption key (DEK) locally. Encrypt data with the KEK.

Store the encrypted data and the wrapped DEK.

Buy Now
Question # 5

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery

What should you do?

Options:

A.

Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.

B.

Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.

C.

Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.

D.

Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

Buy Now
Question # 6

You are the security admin of your company. Your development team creates multiple GCP projects under the "implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.

What should you do?

Options:

A.

Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

B.

Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.

C.

Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.

D.

Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.

Buy Now
Question # 7

You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects.

What should you do?

Choose 2 answers

Options:

A.

Deploy patches with VM Manager by using OS patch management

B.

View patch management data in VM Manager by using OS patch management.

C.

Deploy patches with Security Command Center by using Rapid Vulnerability Detection.

D.

View patch management data in a Security Command Center dashboard.

E.

View patch management data in Artifact Registry.

Buy Now
Question # 8

Your organization is moving virtual machines (VMs) to Google Cloud. You must ensure that operating system images that are used across your projects are trusted and meet your security requirements.

What should you do?

Options:

A.

Implement an organization policy to enforce that boot disks can only be created from images that come from the trusted image project.

B.

Create a Cloud Function that is automatically triggered when a new virtual machine is created from the trusted image repository Verify that the image is not deprecated.

C.

Implement an organization policy constraint that enables the Shielded VM service on all projects to enforce the trusted image repository usage.

D.

Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are present in your trusted image repository.

Buy Now
Question # 9

Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

Options:

A.

Configure Secret Manager to manage service account keys.

B.

Enable an organization policy to disable service accounts from being created.

C.

Enable an organization policy to prevent service account keys from being created.

D.

Remove the iam.serviceAccounts.getAccessToken permission from users.

Buy Now
Question # 10

You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

Options:

A.

Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."

B.

Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.

C.

Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.

D.

Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

Buy Now
Question # 11

Which Google Cloud service should you use to enforce access control policies for applications and resources?

Options:

A.

Identity-Aware Proxy

B.

Cloud NAT

C.

Google Cloud Armor

D.

Shielded VMs

Buy Now
Question # 12

A company migrated their entire data/center to Google Cloud Platform. It is running thousands of instances across multiple projects managed by different departments. You want to have a historical record of what was running in Google Cloud Platform at any point in time.

What should you do?

Options:

A.

Use Resource Manager on the organization level.

B.

Use Forseti Security to automate inventory snapshots.

C.

Use Stackdriver to create a dashboard across all projects.

D.

Use Security Command Center to view all assets across the organization.

Buy Now
Question # 13

Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery.

What should you do?

Options:

A.

Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

B.

Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

C.

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module

(HSM) system from supported vendors.

D.

Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.

Buy Now
Exam Name: Google Cloud Certified - Professional Cloud Security Engineer
Last Update: Mar 31, 2025
Questions: 249
Professional-Cloud-Security-Engineer pdf

Professional-Cloud-Security-Engineer PDF

$25.5  $84.99
Professional-Cloud-Security-Engineer Engine

Professional-Cloud-Security-Engineer Testing Engine

$28.5  $94.99
Professional-Cloud-Security-Engineer PDF + Engine

Professional-Cloud-Security-Engineer PDF + Testing Engine

$40.5  $134.99