Free Google Professional-Cloud-Security-Engineer Exam Questions

Become Google Certified with updated Professional-Cloud-Security-Engineer exam questions and correct answers

Page: 1 / 70

Total 347 Questions | Updated On: Jan 13, 2026

Add To Cart

Question 1

You are a consultant for an organization that is considering migrating their data from its private cloud to Google Cloud. The organization's compliance team is not familiar with Google Cloud and needs guidance on how compliance requirements will be met on Google Cloud. One specific compliance requirement is for customer data at rest to reside within specific geographic boundaries. Which option should you recommend for the organization to meet their data residency requirements on Google Cloud?

A : ganization Policy Service constraints

B : ielded VM instances

C : cess control lists

D : olocation access controls

E : ogle Cloud Armor

Answer: A

Question 2

Your Google Cloud environment has one organization node, one folder named Apps." and several projects within that folder The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allowsmembers from the terramearth.com organization The "Apps" folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property. You attempt to grant access to a project in the Apps folder to the user testuser@terramearth.com. What is the result of your action and why?

A : The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily

B : The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed

C : The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder

D : The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.

Answer: B

Question 3

Your organization has an application hosted in Cloud Run. You must control access to the application byusing Cloud Identity-Aware Proxy (IAP) with these requirements:Only users from the AppDev group may have access.Access must be restricted to internal network IP addresses.What should you do?

A : Configure IAP to enforce multi-factor authentication (MFA) for all users and use network intrusiondetection systems (NIDS) to block unauthorized access attempts.

B : Configure firewall rules to limit access to IAP based on the AppDev group and source IP addresses.

C : Create an access level that includes conditions for internal IP address ranges and AppDev groups.Apply this access level to the application's IAP policy.

D : Deploy a VPN gateway and instruct the AppDev group to connect to the company network beforeaccessing the application.

Answer: C

Question 4

You have just created a new log bucket to replace the _Default log bucket. You want to route all log entries that are currently routed to the _Default log bucket to this new log bucket in the most efficient manner. What should you do?

A : Create a user-defined sink with inclusion filters copied from the _Default sink. Select the new log bucket as the sink destination.

B : Create exclusion filters for the _Default sink to prevent it from receiving new logs. Create a userdefined sink, and select the new log bucket as the sink destination.

C : Disable the _Default sink. Create a user-defined sink and select the new log bucket as the sink destination.

D : Edit the _Default sink, and select the new log bucket as the sink destination.

Answer: D

Question 5

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder. What could have caused this alert?

A : VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

B : organizational policy constraint wasn't properly enforced and is running in "dry run mode.

C : project level, the organizational policy control has been overwritten with an 'allow' value.

D : policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level

Answer: A

Page: 1 / 70

Total 347 Questions | Updated On: Jan 13, 2026

Add To Cart