Free Google Professional-Cloud-Security-Engineer Exam Questions

Become Google Certified with updated Professional-Cloud-Security-Engineer exam questions and correct answers

Page: 1 / 60

Total 299 Questions | Updated On: Nov 10, 2025

Add To Cart

Question 1

You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket in the most efficient manner. What should you do?

A : Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.

B : Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a userdefined sink, and select the new log bucket as the sink destination.

C : Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.

D : Edit the _Default sink, and select the new log bucket as the sink destination.

Answer: D

Question 2

Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine and uses Pub/Sub for message queues. Recent industry news has been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

A : Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.

B : Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CI/CD) pipeline.

C : Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.

D : Develop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.

Answer: B

Question 3

Your company's users access data in a BigQuery table. You want to ensure they can only access the data during working hours. What should you do?

A : Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.

B : Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.

C : Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours

D : Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.

Answer: A

Question 4

A company is running workloads in a dedicated server room. They must only be accessed from within the

private company network. You need to connect to these workloads from Compute Engine instances within a

Google Cloud Platform project.

Which two approaches can you take to meet the requirements? (Choose two.)

A : Configure the project with Cloud VPN.

B : Configure the project with Shared VPC.

C : Configure the project with Cloud Interconnect.

D : Configure the project with VPC peering.

E : Configure all Compute Engine instances with Private Access.

Answer: A,C

Question 5

What type of networking design should an electric vehicle manufacturer company use on Google Cloud Platform (GCP) to centralize control over networking resources like firewall rules, subnets, and routes, and allow on-premises resources access back to GCP resources through a private VPN connection while enabling the network security team to control the networking resources?

A : Implementing a hub and spoke model for VPC peering across all engineering projects.

B : Implement a hub and spoke model by creating a Cloud VPN Gateway that connects all engineering projects.

C : The networking team should be given Compute Admin role for every engineering project.

D : A Shared VPC Network consists of a host project and multiple service projects.

Answer: D

Page: 1 / 60

Total 299 Questions | Updated On: Nov 10, 2025

Add To Cart