Most Recent Google Professional-Cloud-Security-Engineer Exam Dumps

Prepare for the Google Professional Cloud Security Engineer exam with our extensive collection of questions and answers. These practice Q&A are updated according to the latest syllabus, providing you with the tools needed to review and test your knowledge.

QA4Exam focus on the latest syllabus and exam objectives, our practice Q&A are designed to help you identify key topics and solidify your understanding. By focusing on the core curriculum, These Questions & Answers helps you cover all the essential topics, ensuring you're well-prepared for every section of the exam. Each question comes with a detailed explanation, offering valuable insights and helping you to learn from your mistakes. Whether you're looking to assess your progress or dive deeper into complex topics, our updated Q&A will provide the support you need to confidently approach the Google Professional-Cloud-Security-Engineer exam and achieve success.

The questions for Professional-Cloud-Security-Engineer were last updated on Feb 20, 2025.

Viewing page 1 out of 47 pages.
Viewing questions 1-5 out of 233 questions

Get All 233 Questions & Answers

Question No. 1

You manage one of your organization's Google Cloud projects (Project A). AVPC Service Control (SC) perimeter is blocking API access requests to this project including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least

Privilege.

What should you do?

AConfigure an ingress policy for the perimeter in Project A and allow access for the service account in Project B to collect messages.

BCreate an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.

CCreate a perimeter bridge between Project A and Project B to allow the required communication between both projects.

DRemove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

Show Answer

Correct Answer: A

Question No. 2

You are exporting application logs to Cloud Storage. You encounter an error message that the log sinks don't support uniform bucket-level access policies. How should you resolve this error?

AChange the access control model for the bucket

BUpdate your sink with the correct bucket destination.

CAdd the roles/logging.logWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

DAdd the roles/logging.bucketWriter Identity and Access Management (IAM) role to the bucket for the log sink identity.

Show Answer

Correct Answer: A

https://cloud.google.com/logging/docs/export/troubleshoot#errors_exporting_to_cloud_storage

https://cloud.google.com/logging/docs/export/troubleshoot

Unable to grant correct permissions to the destination: Even if the sink was successfully created with the correct service account permissions, this error message displays if the access control model for the Cloud Storage bucket was set to uniform access when the bucket was created. For existing Cloud Storage buckets, you can change the access control model for the first 90 days after bucket creation by using the Permissions tab. For new buckets, select the Fine-grained access control model during bucket creation. For details, see Creating Cloud Storage buckets.

Question No. 3

You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:

Export related logs for all projects in the Google Cloud organization.

Export logs in near real-time to an external SIEM.

What should you do? (Choose two.)

ACreate a Log Sink at the organization level with a Pub/Sub destination.

BCreate a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

CEnable Data Access audit logs at the organization level to apply to all projects.

DEnable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

EEnsure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

Show Answer

Correct Answer: B, D

'Google Workspace Login Audit: Login Audit logs track user sign-ins to your domain. These logs only record the login event. They don't record which system was used to perform the login action.' https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#services

Question No. 4

A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing.

How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?

ABuild new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.

BFederate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.

CUse Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).

DReboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

Show Answer

Correct Answer: A

Compute Engine doesn't automatically update the OS or the software on your deployed instances. You will need to patch or update your deployed Compute Engine instances when necessary. However, in the cloud it is not recommended that you patch or update individual running instances. Instead it is best to patch the image that was used to launch the instance and then replace each affected instance with a new copy.

Question No. 5

An employer wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.

Which Cloud Data Loss Prevention API technique should you use to accomplish this?

AGeneralization

BRedaction

CCryptoHashConfig

DCryptoReplaceFfxFpeConfig

Show Answer

Correct Answer: D

De-identifying sensitive data Cloud Data Loss Prevention (DLP) can de-identify sensitive data in text content, including text stored in container structures such as tables. De-identification is the process of removing identifying information from data. The API detects sensitive data such as personally identifiable information (PII), and then uses a de-identification transformation to mask, delete, or otherwise obscure the data. For example, de-identification techniques can include any of the following: Masking sensitive data by partially or fully replacing characters with a symbol, such as an asterisk (*) or hash (#). Replacing each instance of sensitive data with a token, or surrogate, string. Encrypting and replacing sensitive data using a randomly generated or pre-determined key. When you de-identify data using the CryptoReplaceFfxFpeConfig or CryptoDeterministicConfig infoType transformations, you can re-identify that data, as long as you have the CryptoKey used to originally de-identify the data. https://cloud.google.com/dlp/docs/deidentify-sensitive-data

Unlock All Questions for Google Professional-Cloud-Security-Engineer Exam

Full Exam Access, Actual Exam Questions, Validated Answers, Anytime Anywhere, No Download Limits, No Practice Limits

Get All 233 Questions & Answers