Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

Professional Cloud Security Engineer by Google - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Page 1 of 14 • Questions 1-25 of 329

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)

A Public IP
B IP Forwarding
C Private Google Access
D Static routes
E IAM Network User Role

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

A
1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
B
1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project. 2. Process Cloud Storage objects in SIEM.
C
1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project. 2. Subscribe SIEM to the topic.
D
1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project. 2. Process Cloud Storage objects in SIEM.

You need to implement an encryption at-rest strategy that reduces key management complexity for non-sensitive data and protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule. FIPS 140-2 L1 compliance is required for all data types. What should you do?

A Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
B Encrypt non-sensitive data and sensitive data with Cloud Key Management Service
C Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
D Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Your company wants to determine what products they can build to help customers improve their credit scores depending on their age range. To achieve this, you need to join user information in the company's banking app with customers' credit score data received from a third party. While using this raw data will allow you to complete this task, it exposes sensitive data, which could be propagated into new systems.
This risk needs to be addressed using de-identification and tokenization with Cloud Data Loss Prevention while maintaining the referential integrity across the database. Which cryptographic token format should you use to meet these requirements?

A Deterministic encryption
B Secure, key-based hashes
C Format-preserving encryption
D Cryptographic hashing

An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

A Organization Administrator
B Project Creator
C Billing Account Viewer
D Billing Account Costs Manager
E Billing Account User

You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-
Production applications are stored and accessed using service accounts. Your proposed solution must:
✑ Provide granular access to secrets
✑ Give you control over the rotation schedules for the encryption keys that wrap your secrets
✑ Maintain environment separation
✑ Provide ease of management
Which approach should you take?

A
1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.
B
1. Use a single Google Cloud project to store both Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings. 3. Use Google-managed encryption keys to encrypt secrets.
C
1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings. 3. Use Google-managed encryption keys to encrypt secrets.
D
1. Use a single Google Cloud project to store both Production and Non-Production secrets. 2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.

You are a security engineer at a finance company. Your organization plans to store data on Google Cloud, but your leadership team is worried about the security of their highly sensitive data. Specifically, your company is concerned about internal Google employees' ability to access your company's data on Google Cloud.
What solution should you propose?

A Use customer-managed encryption keys.
B Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.
C Enable Admin activity logs to monitor access to resources.
D Enable Access Transparency logs with Access Approval requests for Google employees.

You want to use the gcloud command-line tool to authenticate using a third-party single sign-on (SSO) SAML identity provider. Which options are necessary to ensure that authentication is supported by the third-party identity provider (IdP)? (Choose two.)

A SSO SAML as a third-party IdP
B Identity Platform
C OpenID Connect
D Identity-Aware Proxy
E Cloud Identity

You work for a large organization where each business unit has thousands of users. You need to delegate management of access control permissions to each business unit. You have the following requirements:
✑ Each business unit manages access controls for their own projects.
✑ Each business unit manages access control permissions at scale.
✑ Business units cannot access other business units' projects.
✑ Users lose their access if they move to a different business unit or leave the company.
✑ Users and access control permissions are managed by the on-premises directory service.
What should you do? (Choose two.)

A Use VPC Service Controls to create perimeters around each business unit's project.
B Organize projects in folders, and assign permissions to Google groups at the folder level.
C Group business units based on Organization Units (OUs) and manage permissions based on OUs
D Create a project naming convention, and use Google's IAM Conditions to manage access based on the prefix of project names.
E Use Google Cloud Directory Sync to synchronize users and group memberships in Cloud Identity.

Your organization recently deployed a new application on Google Kubernetes Engine. You need to deploy a solution to protect the application. The solution has the following requirements:
✑ Scans must run at least once per week
✑ Must be able to detect cross-site scripting vulnerabilities
✑ Must be able to authenticate using Google accounts
Which solution should you use?

A Google Cloud Armor
B Web Security Scanner
C Security Health Analytics
D Container Threat Detection

An organization is moving applications to Google Cloud while maintaining a few mission-critical applications on-premises. The organization must transfer the data at a bandwidth of at least 50 Gbps. What should they use to ensure secure continued connectivity between sites?

A Dedicated Interconnect
B Cloud Router
C Cloud VPN
D Partner Interconnect

Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups. Which Google Cloud service should you use?

A Cloud DNS with DNSSEC
B Cloud NAT
C HTTP(S) Load Balancing
D Google Cloud Armor

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

A VPC Flow Logs
B Cloud Armor
C DNS Security Extensions
D Cloud Identity-Aware Proxy

Your Security team believes that a former employee of your company gained unauthorized access to Google Cloud resources some time in the past 2 months by using a service account key. You need to confirm the unauthorized access and determine the user activity. What should you do?

A Use Security Health Analytics to determine user activity.
B Use the Cloud Monitoring console to filter audit logs by user.
C Use the Cloud Data Loss Prevention API to query logs in Cloud Storage.
D Use the Logs Explorer to search for user activity.

Your company requires the security and network engineering teams to identify all network anomalies within and across VPCs, internal traffic from VMs to VMs, traffic between end locations on the internet and VMs, and traffic between VMs to Google Cloud services in production. Which method should you use?

A Define an organization policy constraint.
B Configure packet mirroring policies.
C Enable VPC Flow Logs on the subnet.
D Monitor and analyze Cloud Audit Logs.

Your company has been creating users manually in Cloud Identity to provide access to Google Cloud resources. Due to continued growth of the environment, you want to authorize the Google Cloud Directory Sync (GCDS) instance and integrate it with your on-premises LDAP server to onboard hundreds of users. You are required to:
✑ Replicate user and group lifecycle changes from the on-premises LDAP server in Cloud Identity.
✑ Disable any manually created users in Cloud Identity.
You have already configured the LDAP search attributes to include the users and security groups in scope for Google Cloud. What should you do next to complete this solution?

A
1. Configure the option to suspend domain users not found in LDAP. 2. Set up a recurring GCDS task.
B
1. Configure the option to delete domain users not found in LDAP. 2. Run GCDS after user and group lifecycle changes.
C
1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP. 2. Set up a recurring GCDS task.
D
1. Configure the LDAP search attributes to exclude manually created Cloud Identity users not found in LDAP. 2. Run GCDS after user and group lifecycle changes.

You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?

A Add the host project containing the Shared VPC to the service perimeter.
B Add the service project where the Compute Engine instances reside to the service perimeter.
C Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.
D Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

You recently joined the networking team supporting your company's Google Cloud implementation. You are tasked with familiarizing yourself with the firewall rules configuration and providing recommendations based on your networking and Google Cloud experience. What product should you recommend to detect firewall rules that are overlapped by attributes from other firewall rules with higher or equal priority?

A Security Command Center
B Firewall Rules Logging
C VPC Flow Logs
D Firewall Insights

The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements:
✑ Follow the least privilege model by having only view access to logs.
✑ Have access to Admin Activity logs.
✑ Have access to Data Access logs.
✑ Have access to Access Transparency logs.
Which Identity and Access Management (IAM) role should the security operations team be granted?

A roles/logging.privateLogViewer
B roles/logging.admin
C roles/viewer
D roles/logging.viewer

You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

A Change the access control model for the bucket
B Update your sink with the correct bucket destination.
C Add the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.
D Add the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

A Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
B Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.
C Create a custom service account for the cluster. Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level
D Create a custom service account for the cluster. Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?

A
1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
B
1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.
C
1. Set up two VPC networks: one trusted and the other untrusted, and peer them together. 2. Configure a custom route on each network pointed to the virtual appliance.
D
1. Set up two VPC networks: one trusted and the other untrusted. 2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

A Implement Cloud VPN for the region where the bastion host lives.
B Implement OS Login with 2-step verification for the bastion host.
C Implement Identity-Aware Proxy TCP forwarding for the bastion host.
D Implement Google Cloud Armor in front of the bastion host.

A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?

A Cloud Armor
B Google Cloud Audit Logs
C Web Security Scanner
D Anomaly Detection

You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC Service
Controls mode should you use?

A Cloud Run
B Native
C Enforced
D Dry run

Professional Cloud Security EngineerPreview