Free Google Professional-Cloud-Security-Engineer Exam Actual Questions

The questions for Professional-Cloud-Security-Engineer were last updated On Apr 1, 2025

At ValidExamDumps, we consistently monitor updates to the Google Professional-Cloud-Security-Engineer exam questions by Google. Whenever our team identifies changes in the exam questions,exam objectives, exam focus areas or in exam requirements, We immediately update our exam questions for both PDF and online practice exams. This commitment ensures our customers always have access to the most current and accurate questions. By preparing with these actual questions, our customers can successfully pass the Google Professional Cloud Security Engineer exam on their first attempt without needing additional materials or study guides.

Other certification materials providers often include outdated or removed questions by Google in their Google Professional-Cloud-Security-Engineer exam. These outdated questions lead to customers failing their Google Professional Cloud Security Engineer exam. In contrast, we ensure our questions bank includes only precise and up-to-date questions, guaranteeing their presence in your actual exam. Our main priority is your success in the Google Professional-Cloud-Security-Engineer exam, not profiting from selling obsolete exam questions in PDF or Online Practice Test.

 

Question No. 1

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on ''in- scope'' Nodes only. These Nodes can only contain the ''in-scope'' Pods.

How should the organization achieve this objective?

Show Answer Hide Answer
Question No. 2

You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

Show Answer Hide Answer
Correct Answer: D

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains#setting_the_organization_policy

The domain restriction constraint is a type of list constraint. Google Workspace customer IDs can be added and removed from the allowed_values list of a domain restriction constraint. The domain restriction constraint does not support denying values, and an organization policy can't be saved with IDs in the denied_values list. All domains associated with a Google Workspace account listed in the allowed_values will be allowed by the organization policy. All other domains will be denied by the organization policy.


Question No. 3

You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.

What should you do?

Show Answer Hide Answer
Correct Answer: A

Envelope Encryption: https://cloud.google.com/kms/docs/envelope-encryption

Here are best practices for managing DEKs:

-Generate DEKs locally.

-When stored, always ensure DEKs are encrypted at rest.

- For easy access, store the DEK near the data that it encrypts.

The DEK is encrypted (also known as wrapped) by a key encryption key (KEK). The process of encrypting a key with another key is known as envelope encryption.

Here are best practices for managing KEKs:

-Store KEKs centrally. (KMS )

-Set the granularity of the DEKs they encrypt based on their use case. For example, consider a workload that requires multiple DEKs to encrypt the workload's data chunks. You could use a single KEK to wrap all DEKs that are responsible for that workload's encryption.

-Rotate keys regularly, and also after a suspected incident.

Question No. 4

You are deploying a web application hosted on Compute Engine. A business requirement mandates that application logs are preserved for 12years and data is kept within European boundaries. You want to implement a storage solution that minimizes overhead and is cost-effective. What should you do?

Show Answer Hide Answer
Correct Answer: B

To fulfill the requirements of preserving logs for 12 years and ensuring data residency within European boundaries, the best approach is to use Google Cloud's operations suite (formerly Stackdriver) with a custom log bucket configured in the desired region.

Configure Cloud Logging Agent:

Install and configure the Cloud Logging agent on your Compute Engine instances. This agent collects logs from your application and system and sends them to Google Cloud's operations suite.

Create a Custom Log Bucket:

In the Cloud Logging interface, create a custom log bucket in the EUROPE-WEST1 region. This bucket will store your logs and can be configured with a custom retention period.

Set Custom Retention Policy:

Configure the retention policy for the custom log bucket to 12 years. This ensures that all logs are preserved for the required duration.

Ship Logs to the Custom Log Bucket:

Modify the logging configuration to direct logs from the Cloud Logging agent to the custom log bucket. This can be done through the logging configuration settings in the Cloud Console or by updating the agent configuration files.

This solution minimizes overhead by using managed services and ensures cost-effectiveness by leveraging Cloud Logging's built-in capabilities for log storage and retention management.


Cloud Logging Documentation

Creating and Managing Logs Buckets

Question No. 5

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning. However, you are concerned about the lack of control on the applications that are deployed. You must ensure that only trusted container images are deployed on Cloud Run.

What should you do?

Choose 2 answers

Show Answer Hide Answer
Correct Answer: B, D

To ensure that only trusted container images are deployed on Cloud Run, you can implement Binary Authorization, which is a deploy-time security control that ensures only trusted images are used.

Set Up Binary Authorization:

Navigate to the Google Cloud Console.

Go to Security > Binary Authorization.

Configure the policy to include attestors that verify your trusted images.

Enable Binary Authorization on Cloud Run:

Go to the Cloud Run service.

Enable Binary Authorization on your existing Cloud Run services by selecting the appropriate Binary Authorization policy.

Set Organization Policy:

Go to the Organization Policies page in the Google Cloud Console.

Add a constraint for constraints/run.allowedBinaryAuthorizationPolicies.

Specify the list of allowed Binary Authorization policy names to enforce across your organization.

These steps ensure that any container image deployed on Cloud Run is validated against the specified Binary Authorization policies, preventing untrusted images from being deployed.


Binary Authorization Documentation

Enabling Binary Authorization on Cloud Run