• Home
  • Blogs
  • [Q43-Q67] 2023 Updated Professional-Cloud-Security-Engineer Tests Engine pdf - All Free Dumps Guaranteed!

[Q43-Q67] 2023 Updated Professional-Cloud-Security-Engineer Tests Engine pdf - All Free Dumps Guaranteed!

Share

2023 Updated Professional-Cloud-Security-Engineer Tests Engine pdf - All Free Dumps Guaranteed!

Latest Google Cloud Certified Professional-Cloud-Security-Engineer Actual Free Exam Questions


Google Professional-Cloud-Security-Engineer Certification Exam tests the candidate's ability to implement and manage security solutions on Google Cloud Platform. Professional-Cloud-Security-Engineer exam covers various security topics such as identity and access management, data protection, network security, and compliance. The format of the exam is multiple-choice questions and scenario-based questions. Professional-Cloud-Security-Engineer exam duration is two hours, and it requires a passing score of 70% or higher.

 

NEW QUESTION # 43
A customer wants to run a batch processing system on VMs and store the output files in a Cloud Storage bucket. The networking and security teams have decided that no VMs may reach the public internet.
How should this be accomplished?

  • A. Create a firewall rule to block internet traffic from the VM.
  • B. Mount a Cloud Storage bucket as a local filesystem on every VM.
  • C. Enable Private Google Access on the VPC.
  • D. Provision a NAT Gateway to access the Cloud Storage API endpoint.

Answer: C

Explanation:
Explanation
https://cloud.google.com/vpc/docs/private-google-access


NEW QUESTION # 44
You are responsible for managing your company's identities in Google Cloud. Your company enforces 2-Step Verification (2SV) for all users. You need to reset a user's access, but the user lost their second factor for 2SV. You want to minimize risk. What should you do?

  • A. On the Google Admin console, temporarily disable the 2SV requirements for all users. Ask the user to log in and add their new second factor to their account. Re-enable the 2SV requirement for all users.
  • B. On the Google Admin console, use a super administrator account to reset the user account's credentials. Ask the user to update their credentials after their first login.
  • C. On the Google Admin console, select the appropriate user account, and generate a backup code to allow the user to sign in. Ask the user to update their second factor.
  • D. On the Google Admin console, select the appropriate user account, and temporarily disable 2SV for this account Ask the user to update their second factor, and then re-enable 2SV for this account.

Answer: C

Explanation:
https://support.google.com/a/answer/9176734
Use backup codes for account recovery If you need to recover an account, use backup codes. Accounts are still protected by 2-Step Verification, and backup codes are easy to generate.


NEW QUESTION # 45
An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use to accomplish this?

  • A. CryptoReplaceFfxFpeConfig
  • B. Generalization
  • C. Redaction
  • D. CryptoHashConfig

Answer: A

Explanation:
De-identifying sensitive data Cloud Data Loss Prevention (DLP) can de-identify sensitive data in text content, including text stored in container structures such as tables. De-identification is the process of removing identifying information from data. The API detects sensitive data such as personally identifiable information (PII), and then uses a de-identification transformation to mask, delete, or otherwise obscure the data. For example, de-identification techniques can include any of the following: Masking sensitive data by partially or fully replacing characters with a symbol, such as an asterisk (*) or hash (#). Replacing each instance of sensitive data with a token, or surrogate, string. Encrypting and replacing sensitive data using a randomly generated or pre-determined key. When you de-identify data using the CryptoReplaceFfxFpeConfig or CryptoDeterministicConfig infoType transformations, you can re-identify that data, as long as you have the CryptoKey used to originally de-identify the data. https://cloud.google.com/dlp/docs/deidentify-sensitive-data


NEW QUESTION # 46
You have noticed an increased number of phishing attacks across your enterprise user accounts. You want to implement the Google 2-Step Verification (2SV) option that uses a cryptographic signature to authenticate a user and verify the URL of the login page. Which Google 2SV option should you use?

  • A. Titan Security Keys
  • B. Google prompt
  • C. Google Authenticator app
  • D. Cloud HSM keys

Answer: A

Explanation:
Explanation
https://cloud.google.com/titan-security-key
Security keys use public key cryptography to verify a user's identity and URL of the login page ensuring attackers can't access your account even if you are tricked into providing your username and password.


NEW QUESTION # 47
Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.
What type of Load Balancing should you use?

  • A. Network Load Balancing
  • B. SSL Proxy Load Balancing
  • C. HTTP(S) Load Balancing
  • D. TCP Proxy Load Balancing

Answer: B

Explanation:
Explanation
https://cloud.google.com/load-balancing/docs/ssl - SSL Proxy Load Balancing is a reverse proxy load balancer that distributes SSL traffic coming from the internet to virtual machine (VM) instances in your Google Cloud VPC network.


NEW QUESTION # 48
Your company has deployed an application on Compute Engine. The application is accessible by clients on port 587. You need to balance the load between the different instances running the application. The connection should be secured using TLS, and terminated by the Load Balancer.
What type of Load Balancing should you use?

  • A. Network Load Balancing
  • B. SSL Proxy Load Balancing
  • C. HTTP(S) Load Balancing
  • D. TCP Proxy Load Balancing

Answer: B

Explanation:
Reference:
https://cloud.google.com/load-balancing/docs/ssl/


NEW QUESTION # 49
You are the security admin of your company. Your development team creates multiple GCP projects under the
"implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.
What should you do?

  • A. Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
  • B. Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
  • C. Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.
  • D. Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.

Answer: B

Explanation:
Explanation
https://cloud.google.com/vpc-service-controls/docs/overview#benefits
https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/tree/master/examples/autom


NEW QUESTION # 50
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization's production environment will remain on- premises for an indefinite time. The organization wants a scalable and cost-efficient solution.
Which GCP solution should the organization use?

  • A. Cloud Storage using a scheduled task and gsutil
  • B. Cloud Datastore using regularly scheduled batch upload jobs
  • C. BigQuery using a data pipeline job with continuous updates
  • D. Compute Engine Virtual Machines using Persistent Disk

Answer: A

Explanation:
https://cloud.google.com/solutions/dr-scenarios-planning-guide#use-cloud-storage-as-part-of-your-daily-backup-routine


NEW QUESTION # 51
Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

  • A. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
  • B. Set up a VPC network with two subnets: one with public IPs and one without public IPs.
  • C. Remove the Editor role and grant the Compute Admin IAM role to the engineers.
  • D. Enable Private Access on the VPC network in the production project.

Answer: A

Explanation:
https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address


NEW QUESTION # 52
Your company recently published a security policy to minimize the usage of service account keys. On-premises Windows-based applications are interacting with Google Cloud APIs. You need to implement Workload Identity Federation (WIF) with your identity provider on-premises.
What should you do?

  • A. Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure a rule to let principals in the pool impersonate the Google Cloud service account.
  • B. Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let all principals in the pool impersonate the Google Cloud service account.
  • C. Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine Configure a rule to let principals in the pool impersonate the Google Cloud service account.
  • D. Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let all principals in the pool impersonate the Google Cloud service account.

Answer: A


NEW QUESTION # 53
A customer terminates an engineer and needs to make sure the engineer's Google account is automatically deprovisioned.
What should the customer do?

  • A. Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.
  • B. Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.
  • C. Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.
  • D. Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.

Answer: A

Explanation:
https://cloud.google.com/identity/solutions/automate-user-provisioning#cloud_identity_automated_provisioning
"Cloud Identity has a catalog of automated provisioning connectors, which act as a bridge between Cloud Identity and third-party cloud apps."


NEW QUESTION # 54
When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.
Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

  • A. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
  • B. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.
  • C. Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
  • D. Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.

Answer: B

Explanation:
Reference:
https://cloud.google.com/dlp/docs/deidentify-sensitive-data


NEW QUESTION # 55
A company's application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.
What should you do?

  • A. Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.
  • B. Create a new key, and use the new key in the application. Delete the old key from the Service Account.
  • C. Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT
    --key=NEW_KEY.
  • D. Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

Answer: B

Explanation:
Explanation
You can rotate a key by creating a new key, updating applications to use the new key, and deleting the old key.
Use the serviceAccount.keys.create() method and serviceAccount.keys.delete() method together to automate the rotation.


NEW QUESTION # 56
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented.
Which GCP solution should the organization use?

  • A. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
  • B. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
  • C. BigQuery using a data pipeline job with continuous updates via Cloud VPN
  • D. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect

Answer: A

Explanation:
Explanation/Reference: https://cloud.google.com/solutions/migration-to-google-cloud-building-your-foundation


NEW QUESTION # 57
You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
  • B. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
  • C. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/security-scanner/docs/remediate-findings


NEW QUESTION # 58
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its current data backup and disaster recovery solutions to GCP for later analysis. The organization's production environment will remain on-premises for an indefinite time. The organization wants a scalable and cost-efficient solution.
Which GCP solution should the organization use?

  • A. Cloud Datastore using regularly scheduled batch upload jobs
  • B. Cloud Storage using a scheduled task and gsutil
  • C. BigQuery using a data pipeline job with continuous updates
  • D. Compute Engine Virtual Machines using Persistent Disk

Answer: C


NEW QUESTION # 59
You are the security admin of your company. You have 3,000 objects in your Cloud Storage bucket. You do not want to manage access to each object individually. You also do not want the uploader of an object to always have full control of the object. However, you want to use Cloud Audit Logs to manage access to your bucket.
What should you do?

  • A. Set up an ACL with READER permission to a scope of allUsers.
  • B. Set up a default bucket ACL and manage access for users using IAM.
  • C. Set up an ACL with OWNER permission to a scope of allUsers.
  • D. Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

Answer: C


NEW QUESTION # 60
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?

  • A. Update the application code or apply a patch, build a new image, and redeploy it.
  • B. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
  • C. Configure containers to automatically upgrade when the base image is available in Container Registry.
  • D. Use Puppet or Chef to push out the patch to the running container.

Answer: A

Explanation:
https://cloud.google.com/containers/security
Containers are meant to be immutable, so you deploy a new image in order to make changes. You can simplify patch management by rebuilding your images regularly, so the patch is picked up the next time a container is deployed. Get the full picture of your environment with regular image security reviews.


NEW QUESTION # 61
Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

  • A. 1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.2. Subscribe SIEM to the topic.
  • B. 1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.2. Subscribe SIEM to the topic.
  • C. 1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.2. Process Cloud Storage objects in SIEM.
  • D. 1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.2. Process Cloud Storage objects in SIEM.

Answer: D


NEW QUESTION # 62
An organization is evaluating the use of Google Cloud Platform (GCP) for certain IT workloads. A well- established directory service is used to manage user identities and lifecycle management. This directory service must continue for the organization to use as the "source of truth" directory for identities.
Which solution meets the organization's requirements?

  • A. Cloud Identity
  • B. Security Assertion Markup Language (SAML)
  • C. Pub/Sub
  • D. Google Cloud Directory Sync (GCDS)

Answer: D

Explanation:
With Google Cloud Directory Sync (GCDS), you can synchronize the data in your Google Account with your Microsoft Active Directory or LDAP server. GCDS doesn't migrate any content (such as email messages, calendar events, or files) to your Google Account. You use GCDS to synchronize your Google users, groups, and shared contacts to match the information in your LDAP server.
https://support.google.com/a/answer/106368?hl=en


NEW QUESTION # 63
You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?

  • A. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.
  • B. All load balancer types are denied in accordance with the global node's policy.
  • C. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.
  • D. INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.

Answer: A


NEW QUESTION # 64
What are the steps to encrypt data using envelope encryption?

  • A. Generate a key encryption key (KEK) locally.
    Generate a data encryption key (DEK) locally.
    Encrypt data with the KEK.
    Store the encrypted data and the wrapped DEK.
  • B. Generate a data encryption key (DEK) locally.
    Encrypt data with the DEK.
    Use a key encryption key (KEK) to wrap the DEK.
    Store the encrypted data and the wrapped DEK.
  • C. Generate a data encryption key (DEK) locally.
    Use a key encryption key (KEK) to wrap the DEK.
    Encrypt data with the KEK.
    Store the encrypted data and the wrapped KEK.
  • D. Generate a key encryption key (KEK) locally.
    Use the KEK to generate a data encryption key (DEK).
    Encrypt data with the DEK.
    Store the encrypted data and the wrapped DEK.

Answer: B

Explanation:
https://cloud.google.com/kms/docs/envelope-encryption


NEW QUESTION # 65
A company is running their webshop on Google Kubernetes Engine and wants to analyze customer transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery What should you do?

  • A. Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.
  • B. Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.
  • C. Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery.
  • D. Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows.

Answer: A

Explanation:
https://cloud.google.com/bigquery/docs/scan-with-dlp
Cloud Data Loss Prevention API allows to detect and redact or remove sensitive data before the comments or reviews are published. Cloud DLP will read information from BigQuery, Cloud Storage or Datastore and scan it for sensitive data.


NEW QUESTION # 66
You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to-know basis to the HR team. What should you do?

  • A. Perform tokenization for Pseudonymization with the DLP API and store that data in BigQuery for later use.
  • B. Perform data redaction with the DLP API and store that data in BigQuery for later use.
  • C. Perform data masking with the DLP API and store that data in BigQuery for later use.
  • D. Perform data inspection with the DLP API and store that data in BigQuery for later use.

Answer: D


NEW QUESTION # 67
......


The Google Cloud Certified - Professional Cloud Security Engineer Exam certification exam covers a wide range of topics related to cloud security, including network security, application security, data protection, compliance and regulations, and incident response. Professional-Cloud-Security-Engineer exam tests candidates' ability to design and implement secure cloud solutions, configure security controls, and manage security operations in a cloud environment. Professional-Cloud-Security-Engineer exam also assesses candidates' ability to analyze security risks and develop risk management strategies.

 

Professional-Cloud-Security-Engineer Dumps Updated Practice Test and 212 unique questions: https://www.exams-boost.com/Professional-Cloud-Security-Engineer-valid-materials.html

Latest 100% Exam Passing Ratio - Professional-Cloud-Security-Engineer Dumps PDF: https://drive.google.com/open?id=1f8wtuX5Z81x4tOgbfLMsZmHhCUvlMhar

Related Blogs

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam

Copyright © 2026 EXAMS-BOOST.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.