Free Google Professional-Cloud-Security-Engineer Exam Questions

Become Google Certified with updated Professional-Cloud-Security-Engineer exam questions and correct answers

Page: 1 / 70

Total 347 Questions | Updated On: Jan 06, 2026

Add To Cart

Question 1

Your organization has an application hosted in Cloud Run. You must control access to the application byusing Cloud Identity-Aware Proxy (IAP) with these requirements:Only users from the AppDev group may have access.Access must be restricted to internal network IP addresses.What should you do?

A : Configure IAP to enforce multi-factor authentication (MFA) for all users and use network intrusiondetection systems (NIDS) to block unauthorized access attempts.

B : Configure firewall rules to limit access to IAP based on the AppDev group and source IP addresses.

C : Create an access level that includes conditions for internal IP address ranges and AppDev groups.Apply this access level to the application's IAP policy.

D : Deploy a VPN gateway and instruct the AppDev group to connect to the company network beforeaccessing the application.

Answer: C

Question 2

You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket in the most efficient manner. What should you do?

A : Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.

B : Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a userdefined sink, and select the new log bucket as the sink destination.

C : Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.

D : Edit the _Default sink, and select the new log bucket as the sink destination.

Answer: D

Question 3

Your organization operates a hybrid cloud environment and has recently deployed a private Artifact Registryrepository in Google Cloud. On-premises developers cannot resolve the Artifact Registry hostname andtherefore cannot push or pull artifacts. You've verified the following:Connectivity to Google Cloud is established by Cloud VPN or Cloud Interconnect.No custom DNS configurations exist on-premises.There is no route to the internet from the on-premises network.You need to identify the cause and enable the developers to push and pull artifacts. What is likely causing theissue and what should you do to fix the issue?

A : Artifact Registry requires external HTTP/HTTPS access. Create a new firewall rule allowing ingresstraffic on ports 80 and 443 from the developer's IP ranges.

B : Private Google Access is not enabled for the subnet hosting the Artifact Registry. Enable PrivateGoogle Access for the appropriate subnet.

C : On-premises DNS servers lack the necessary records to resolve private Google API domains. CreateDNS records for restricted.googleapis.com or private.googleapis.com pointing to Google's published IPranges.

D : Developers must be granted the artifactregistry.writer IAM role. Grant the relevant developer group thisrole.

Answer: C

Question 4

An employer wants to track how bonus compensations have changed over time to identify employee outliers

and correct earning disparities. This task must be performed without exposing the sensitive compensation data

for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

A : Generalization

B : Redaction

C : CryptoHashConfig

D : CryptoReplaceFfxFpeConfig

Answer: D

Question 5

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder. What could have caused this alert?

A : VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

B : organizational policy constraint wasn't properly enforced and is running in "dry run mode.

C : project level, the organizational policy control has been overwritten with an 'allow' value.

D : policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level

Answer: A

Page: 1 / 70

Total 347 Questions | Updated On: Jan 06, 2026

Add To Cart