Name: Professional Cloud Security Engineer
Brand: ValidExamDumps
SKU: Professional-Cloud-Security-Engineer
Price: 20 USD
Availability: InStock
Rating: 5.0 (400 reviews)

Free Google Professional-Cloud-Security-Engineer Exam Actual Questions

The questions for Professional-Cloud-Security-Engineer were last updated On Feb 14, 2025

At ValidExamDumps, we consistently monitor updates to the Google Professional-Cloud-Security-Engineer exam questions by Google. Whenever our team identifies changes in the exam questions,exam objectives, exam focus areas or in exam requirements, We immediately update our exam questions for both PDF and online practice exams. This commitment ensures our customers always have access to the most current and accurate questions. By preparing with these actual questions, our customers can successfully pass the Google Professional Cloud Security Engineer exam on their first attempt without needing additional materials or study guides.

Other certification materials providers often include outdated or removed questions by Google in their Google Professional-Cloud-Security-Engineer exam. These outdated questions lead to customers failing their Google Professional Cloud Security Engineer exam. In contrast, we ensure our questions bank includes only precise and up-to-date questions, guaranteeing their presence in your actual exam. Our main priority is your success in the Google Professional-Cloud-Security-Engineer exam, not profiting from selling obsolete exam questions in PDF or Online Practice Test.

Question No. 1

You control network traffic for a folder in your Google Cloud environment. Your folder includes multiple projects and Virtual Private Cloud (VPC) networks You want to enforce on the folder level that egress connections are limited only to IP range 10.58.5.0/24 and only from the VPC network dev-vpc." You want to minimize implementation and maintenance effort

What should you do?

A* 1. Attach external IP addresses to the VMs in scope.
* 2. Configure a VPC Firewall rule in 'dev-vpc' that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.

B* 1. Attach external IP addresses to the VMs in scope.
* 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10 58.5.0/24 from network dev-vpc.

C* 1. Leave the network configuration of the VMs in scope unchanged.
* 2. Create a new project including a new VPC network 'new-vpc.'
* 3 Deploy a network appliance in 'new-vpc' to filter access requests and only allow egress connections from -dev-vpc' to 10.58.5.0/24.

D* 1 Leave the network configuration of the VMs in scope unchanged
* 2 Enable Cloud NAT for dev-vpc' and restrict the target range in Cloud NAT to 10.58.5 0/24.

Show Answer

Correct Answer: B

This approach allows you to control network traffic at the folder level. By attaching external IP addresses to the VMs in scope, you can ensure that the VMs have a unique, routable IP address for outbound connections. Then, by defining and applying a hierarchical firewall policy at the folder level, you can enforce that egress connections are limited to the specified IP range and only from the specified VPC network.

Question No. 2

Your security team uses encryption keys to ensure confidentiality of user dat

a. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).

Which steps should your team take before an incident occurs? (Choose two.)

ADisable and revoke access to compromised keys.

BEnable automatic key version rotation on a regular schedule.

CManually rotate key versions on an ad hoc schedule.

DLimit the number of messages encrypted with each key version.

EDisable the Cloud KMS API.

Show Answer

Correct Answer: B, D

As per document 'Limiting the number of messages encrypted with the same key version helps prevent attacks enabled by cryptanalysis.' https://cloud.google.com/kms/docs/key-rotation

Question No. 3

Your application is deployed as a highly available cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.

What should you do?

AConfigure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified time interval.

BConfigure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.

CConfigure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.

DConfigure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

Show Answer

Correct Answer: C

Question No. 4

You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

AChange the access control model for the bucket

BUpdate your sink with the correct bucket destination.

CAdd the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

DAdd the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

Show Answer

Correct Answer: A

https://cloud.google.com/logging/docs/export/troubleshoot#errors_exporting_to_cloud_storage

https://cloud.google.com/logging/docs/export/troubleshoot

Unable to grant correct permissions to the destination: Even if the sink was successfully created with the correct service account permissions, this error message displays if the access control model for the Cloud Storage bucket was set to uniform access when the bucket was created. For existing Cloud Storage buckets, you can change the access control model for the first 90 days after bucket creation by using the Permissions tab. For new buckets, select the Fine-grained access control model during bucket creation. For details, see Creating Cloud Storage buckets.

Question No. 5

You are a security administrator at your company and are responsible for managing access controls (identification, authentication, and authorization) on Google Cloud. Which Google-recommended best practices should you follow when configuring authentication and authorization? (Choose two.)

AUse Google default encryption.

BManually add users to Google Cloud.

CProvision users with basic roles using Google's Identity and Access Management (1AM) service.

DUse SSO/SAML integration with Cloud Identity for user authentication and user lifecycle management.

EProvide granular access with predefined roles.

Show Answer

Correct Answer: D, E

https://cloud.google.com/iam/docs/using-iam-securely#least_privilege Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs.