Free Google Professional-Cloud-Security-Engineer Exam Questions

Become Google Certified with updated Professional-Cloud-Security-Engineer exam questions and correct answers

Page: 1 / 70

Total 347 Questions | Updated On: Mar 12, 2026

Add To Cart

Question 1

Your company has deployed an application on Compute Engine. The application is accessible by clients on port

587. You need to balance the load between the different instances running the application. The connection

should be secured using TLS, and terminated by the Load Balancer.

What type of Load Balancing should you use?

A : twork Load Balancing

B : TP(S) Load Balancing

C : P Proxy Load Balancing

D : L Proxy Load Balancing

Answer: D

Question 2

A patch for a vulnerability has been released and a DevOps team in a healthcare technology company needs to update their running containers in Google Kubernetes Engine (GKE). What steps should the DevOps team take to accomplish this task?

A : Confirm whether auto-upgrade is turned on; if enabled, Google will handle node upgrades within a GKE cluster.

B : Set up the containers to automatically upgrade when the base image becomes available in the Container Registry.

C : Apply a patch or update the application code, construct a new image, and deploy it again.

D : Utilize Puppet or Chef to deploy the necessary patch to the container that's currently running.

Answer: C

Question 3

Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way. What should you do?

A : eate a service account key and add it to the GitHub pipeline configuration file

B : eate a service account key and add it to the GitHub repository content

C : nfigure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.

D : nfigure workload identity federation to use GitHub as an identity pool provider.

Answer: D

Question 4

A company has redundant mail servers in different Google Cloud Platform regions and wants to route

customers to the nearest mail server based on location.

How should the company accomplish this?

A : Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995

B : Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location

C : Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

D : Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

Answer: A

Question 5

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.

How should you prevent and fix this vulnerability?

A : Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

B : t up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

C : Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

D : Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Page: 1 / 70

Total 347 Questions | Updated On: Mar 12, 2026

Add To Cart