Free Google Professional-Cloud-Security-Engineer Exam Questions

Become Google Certified with updated Professional-Cloud-Security-Engineer exam questions and correct answers

Page: 1 / 60

Total 299 Questions | Updated On: Nov 25, 2025

Add To Cart

Question 1

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

A : plement Cloud VPN for the region where the bastion host lives.

B : Implement OS Login with 2-step verification for the bastion host.

C : Implement Identity-Aware Proxy TCP forwarding for the bastion host.

D : plement Google Cloud Armor in front of the bastion host.

Answer: C

Question 2

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage

IAM permissions between users in the development and production environment projects.

Which two steps should the company take to meet these requirements? (Choose two.)

A : Create a project with multiple VPC networks for each environment.

B : Create a folder for each development and production environment.

C : Create a Google Group for the Engineering team, and assign permissions at the folder level.

D : Create an Organizational Policy constraint for each folder environment.

E : Create projects for each environment, and grant IAM rights to each engineering user.

Answer: B,C

Question 3

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.

How should you prevent and fix this vulnerability?

A : Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

B : t up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

C : Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

D : Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Question 4

Your company plans to move most of its IT infrastructure to Google Cloud. They want to leverage their existing on-premises Active Directory as an identity provider for Google Cloud. Which two steps should you take to integrate the company's on-premises Active Directory with Google Cloud and configure access management? (Choose two.)

A : Use Identity Platform to provision users and groups to Google Cloud.

B : Use Cloud Identity SAML integration to provision users and groups to Google Cloud.

C : Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity.

D : Create Identity and Access Management (IAM) roles with permissions corresponding to each Active Directory group.

E : Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.

Answer: C,E

Question 5

Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine and uses Pub/Sub for message queues. Recent industry news has been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

A : Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.

B : Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CI/CD) pipeline.

C : Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.

D : Develop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.

Answer: B

Page: 1 / 60

Total 299 Questions | Updated On: Nov 25, 2025

Add To Cart