• Home
  • Articles
  • Latest Professional-Cloud-Security-Engineer Actual Free Exam Updated 235 Questions [Q88-Q109]

Latest Professional-Cloud-Security-Engineer Actual Free Exam Updated 235 Questions [Q88-Q109]

Share

Latest Professional-Cloud-Security-Engineer Actual Free Exam Updated 235 Questions

Online Questions - Valid Practice Professional-Cloud-Security-Engineer Exam Dumps Test Questions


Google Professional-Cloud-Security-Engineer Certification Exam is designed to test the knowledge and skills of professionals who are responsible for the security of applications and infrastructure in the Google Cloud environment. Professional-Cloud-Security-Engineer exam is one of the most sought-after certifications for cloud security professionals, as it validates their expertise and competence in securing cloud-based applications and data.


Google Professional-Cloud-Security-Engineer exam is a certification exam that evaluates the candidate's proficiency in securing data, applications, and infrastructure on the Google Cloud Platform. Professional-Cloud-Security-Engineer exam is designed for professionals who are responsible for designing and implementing secure cloud solutions on the Google Cloud Platform. Passing Professional-Cloud-Security-Engineer exam validates the candidate's skills and knowledge in cloud security and opens up various job opportunities in the cloud security domain.

 

NEW QUESTION # 88
You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306.
What should you do?

  • A. Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.
  • B. Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.
  • C. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe-tag.
  • D. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.

Answer: B

Explanation:
Explanation
https://cloud.google.com/sql/docs/mysql/sql-proxy#using-a-service-account


NEW QUESTION # 89
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.
How should your team design this network?

  • A. Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
  • B. Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
  • C. Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
  • D. Create a different subnet for the frontend application and database to ensure network isolation.

Answer: B

Explanation:
Explanation
"However, even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped"


NEW QUESTION # 90
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

  • A. Use only applications certified compliant with PA-DSS.
  • B. Use VPN for all connections between your office and cloud environments.
  • C. Move the cardholder data environment into a separate GCP project.
  • D. Use multi-factor authentication for admin access to the web application.

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/solutions/pci-dss-compliance-in-gcp


NEW QUESTION # 91
Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud Many teams will use their own instances of the CI/CD workflow It will run on Google Kubernetes Engine (GKE) The CI/CD pipelines must be designed to securely access Google Cloud APIs What should you do?

  • A. * 1 Create service accounts for each deployment pipeline
    * 2 Generate private keys for the service accounts
    * 3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline
  • B. * 1 Create two service accounts one for the infrastructure and one for the application deployment
    * 2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts
    * 3 Run the infrastructure and application pipelines in separate namespaces
  • C. * 1 Create a dedicated service account for the CI/CD pipelines
    * 2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster
    * 3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs
  • D. * 1 Create individual service accounts (or each deployment pipeline
    * 2 Add an identifier for the pipeline in the service account naming convention
    * 3 Ensure each pipeline runs on dedicated pods
    * 4 Use workload identity to map a deployment pipeline pod with a service account

Answer: D


NEW QUESTION # 92
A retail customer allows users to upload comments and product reviews. The customer needs to make sure the text does not include sensitive data before the comments or reviews are published.
Which Google Cloud Service should be used to achieve this?

  • A. Cloud Data Loss Prevention API
  • B. Cloud Security Scanner
  • C. Cloud Key Management Service
  • D. BigQuery

Answer: A


NEW QUESTION # 93
You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:
* Least-privilege access must be enforced at all times.
* The DevOps team must be able to access the required resources only during the deployment issue.
How should you grant access while following Google-recommended best practices?

  • A. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.
  • B. Assign the Project Viewer Identity and Access Management (1AM) role to the DevOps team.
  • C. Create a custom 1AM role with limited list/view permissions, and assign it to the DevOps team.
  • D. Create a service account, and grant it the Project Owner 1AM role. Give the Service Account User Role on this service account to the DevOps team.

Answer: A


NEW QUESTION # 94
A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?

  • A. Forseti Security
  • B. Cloud Security Scanner
  • C. Google Cloud Audit Logs
  • D. Cloud Armor

Answer: B

Explanation:
Reference:
https://cloud.google.com/security-scanner/


NEW QUESTION # 95
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

  • A. ISO 27002
  • B. ISO 27017
  • C. ISO 27018
  • D. ISO 27001

Answer: B

Explanation:
Explanation
Create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
https://cloud.google.com/security/compliance/iso-27017


NEW QUESTION # 96
A customer is running an analytics workload on Google Cloud Platform (GCP) where Compute Engine instances are accessing data stored on Cloud Storage. Your team wants to make sure that this workload will not be able to access, or be accessed from, the internet.
Which two strategies should your team use to meet these requirements? (Choose two.)

  • A. Turn off IP forwarding on the Compute Engine instances in the cluster.
  • B. Configure a Cloud NAT gateway.
  • C. Avoid assigning public IP addresses to the Compute Engine cluster.
  • D. Make sure that the Compute Engine cluster is running on a separate subnet.
  • E. Configure Private Google Access on the Compute Engine subnet

Answer: B,C

Explanation:
Explanation/Reference:


NEW QUESTION # 97
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

  • A. ISO 27002
  • B. ISO 27017
  • C. ISO 27018
  • D. ISO 27001

Answer: B

Explanation:
Create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
https://cloud.google.com/security/compliance/iso-27017


NEW QUESTION # 98
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet. Your team requires an authentication layer in front of the application that supports two-factor authentication Which GCP product should the customer implement to meet these requirements?

  • A. Cloud Identity-Aware Proxy
  • B. Cloud Endpoints
  • C. Cloud VPN
  • D. Cloud Armor

Answer: A

Explanation:
Explanation
Cloud IAP is integrated with Google Sign-in which Multi-factor authentication can be enabled.https://cloud.google.com/iap/docs/concepts-overview


NEW QUESTION # 99
When creating a secure container image, which two items should you incorporate into the build if possible?
(Choose two.)

  • A. Remove any unnecessary tools not needed by the app.
  • B. Use public container images as a base image for the app.
  • C. Use many container image layers to hide sensitive information.
  • D. Ensure that the app does not run as PID 1.
  • E. Package a single app as a container.

Answer: A,E


NEW QUESTION # 100
Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.
What should you do?

  • A. Use customer-supplied encryption keys to manage the data encryption key (DEK).
  • B. Use the Cloud Key Management Service to manage the data encryption key (DEK).
  • C. Use the Cloud Key Management Service to manage the key encryption key (KEK).
  • D. Use customer-supplied encryption keys to manage the key encryption key (KEK).

Answer: C

Explanation:
Explanation
This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). For more information on Google data encryption keys, see Encryption at Rest.https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption
https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms#0


NEW QUESTION # 101
Which two implied firewall rules are defined on a VPC network? (Choose two.)

  • A. A rule that denies all inbound connections
  • B. A rule that allows all inbound port 80 connections
  • C. A rule that allows all outbound connections
  • D. A rule that blocks all inbound port 25 connections
  • E. A rule that blocks all outbound connections

Answer: A,C

Explanation:
Reference:
https://cloud.google.com/vpc/docs/firewalls


NEW QUESTION # 102
In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)

  • A. Storage Encryption
  • B. Access Policies
  • C. Hardware
  • D. Network Security
  • E. Boot

Answer: A,B


NEW QUESTION # 103
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?

  • A. Compute Shared VPC Admin Role at the host project level.
  • B. Compute Network User Role at the host project level.
  • C. Compute Shared VPC Admin Role at the service project level.
  • D. Compute Network User Role at the subnet level.

Answer: D

Explanation:
https://cloud.google.com/vpc/docs/shared-vpc#svc_proj_admins


NEW QUESTION # 104
Your organization s record data exists in Cloud Storage. You must retain all record data for at least seven years This policy must be permanent.
What should you do?

  • A. * 1 Identify buckets with record data
    * 2 Apply a retention policy and set it to retain for seven years
    * 3 Enable bucket lock
  • B. * 1 Identify buckets with record data
    * 2 Enable the bucket policy only to ensure that data is retained
    * 3 Enable bucket lock
  • C. * 1 Identify buckets with record data
    * 2 Apply a retention policy and set it to retain for seven years
    * 3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs
  • D. * 1 Identify buckets with record data
    * 2 Apply a retention policy and set it to retain for seven years
    * 3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission

Answer: A


NEW QUESTION # 105
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)

  • A. Remove any unnecessary tools not needed by the app.
  • B. Use public container images as a base image for the app.
  • C. Use many container image layers to hide sensitive information.
  • D. Ensure that the app does not run as PID 1.
  • E. Package a single app as a container.

Answer: A,E


NEW QUESTION # 106
A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?

  • A. Create a firewall rule to block internet traffic from the VM.
  • B. Enable Private Google Access on the VPC.
  • C. Provision a NAT Gateway to access the Cloud Storage API endpoint.
  • D. Mount a Cloud Storage bucket as a local filesystem on every VM.

Answer: B

Explanation:
Explanation
https://cloud.google.com/vpc/docs/private-google-access


NEW QUESTION # 107
An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?

  • A. Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
  • B. Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
  • C. Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
  • D. Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

Answer: D

Explanation:
Explanation
If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code.
https://cloud.google.com/docs/authentication/production#passing_the_path_to_the_service_account_key_in_cod


NEW QUESTION # 108
Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery.
What should you do?

  • A. Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.
  • B. Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.
  • C. Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.
  • D. Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

Answer: C

Explanation:
Explanation
Cloud EKM allows you to use encryption keys that are stored and managed in a third-party key management system deployed outside of Google's infrastructure. This gives your organization full control over the keys used to encrypt data at rest in Google Cloud environments, including BigQuery.


NEW QUESTION # 109
......

Professional-Cloud-Security-Engineer Exam PDF [2024] Tests Free Updated Today with Correct 235 Questions: https://www.dumpstorrent.com/Professional-Cloud-Security-Engineer-exam-dumps-torrent.html

100% Real Professional-Cloud-Security-Engineer dumps  - Brilliant Professional-Cloud-Security-Engineer Exam Questions PDF: https://drive.google.com/open?id=11JNdRGuW9vTzOr91-5LXDXO0Nvjg-OMp

Related Articles

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam

Copyright © 2026 DumpsTorrent NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy