Free Google Professional-Cloud-Security-Engineer Exam Questions

Become Google Certified with updated Professional-Cloud-Security-Engineer exam questions and correct answers

Page: 1 / 70

Total 347 Questions | Updated On: Jan 27, 2026

Add To Cart

Question 1

Your organization relies heavily on virtual machines (VMs) in Compute Engine. Due to team growth andresource demands. VM sprawl is becoming problematic. Maintaining consistent security hardening and timelypackage updates poses an increasing challenge. You need to centralize VM image management and automatethe enforcement of security baselines throughout the virtual machine lifecycle. What should you do?

A : Activate Security Command Center Enterprise. Use VM discovery and posture management features tomonitor hardening state and trigger automatic responses upon detection of issues.B. Create a CloudBuild trigger to build a pipeline that generates hardened VM images. Run vulnerability scans in thepipeline, and store images with passing scans in a registry. Use instance templates pointing to thisregistry.

B : Configure the sole-tenancy feature in Compute Engine for all projects. Set up custom organization policies in Policy Controller to restrict the operating systems and image sources that teams are allowed to use.

C : Use VM Manager to automatically distribute and apply patches to VMs across your projects. IntegrateVM Manager with hardened. organization-standard VM images stored in a central repository.

Answer: B

Question 2

You will create a new Service Account that should be able to list the Compute Engine instances in the project.

You want to follow Google-recommended practices.

What should you do?

A : eate an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

B : eate a custom role with the permission compute.instances.list and grant the Service Account this role

C : ve the Service Account the role of Compute Viewer, and use the new Service Account for all instances

D : ve the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Answer: B

Question 3

A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.

Which two strategies should your team use to meet these requirements? (Choose two.)

A : nfigure Private Google Access on the Compute Engine subnet

B : oid assigning public IP addresses to the Compute Engine cluster.

C : ke sure that the Compute Engine cluster is running on a separate subnet.

D : rn off IP forwarding on the Compute Engine instances in the cluster.

E : nfigure a Cloud NAT gateway.

Answer: A,B

Question 4

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer

transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery

What should you do?

A : eate a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows

B : the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.

C : verage Security Command Center to scan for the assets of type Credit Card Number in BigQuery

D : able Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

Answer: D

Question 5

Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine and uses Pub/Sub for message queues. Recent industry news has been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

A : Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.

B : Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CI/CD) pipeline.

C : Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.

D : Develop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.

Answer: B

Page: 1 / 70

Total 347 Questions | Updated On: Jan 27, 2026

Add To Cart