Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Google
  3. PROFESSIONAL-CLOUD-SECURITY-ENGINEER

Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER Exam (page: 5)
Google Professional Cloud Security Engineer
Updated on: 12-Jan-2026

Viewing Page 5 of 48
PROFESSIONAL-CLOUD-SECURITY-ENGINEER PDF 361 Questions

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized.

Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

  1. App Engine
  2. Cloud Functions
  3. Compute Engine
  4. Google Kubernetes Engine
  5. Cloud Storage

Answer(s): C,D

Explanation:

App Engine ingress firewall rules are available, but egress rules are not currently available. Per requirements 1.2.1 and 1.3.4, you must ensure that all outbound traffic is authorized. SAQ A-EP and SAQ D­type merchants must provide compensating controls or use a different Google Cloud product. Compute Engine and GKE are the preferred alternatives. https://cloud.google.com/solutions/pci-dss- compliance-in-gcp



A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.

Which solution will restrict access to the in-progress sites?

  1. Upload an .htaccess file containing the customer and employee user accounts to App Engine.
  2. Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
  3. Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.
  4. Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company's GCP Virtual Private Cloud (VPC) network.

Answer(s): C

Explanation:

https://cloud.google.com/iap/docs/concepts-overview#when_to_use_iap



When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.

Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

  1. Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
  2. Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
  3. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
  4. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Answer(s): C

Explanation:

https://cloud.google.com/dlp/docs/concepts-image-redaction



A company's application is deployed with a user-managed Service Account key. You want to use Google- recommended practices to rotate the key.

What should you do?

  1. Open Cloud Shell and run gcloud iam service-accounts enable-auto-rotate --iam- account=IAM_ACCOUNT.
  2. Open Cloud Shell and run gcloud iam service-accounts keys rotate --iam- account=IAM_ACCOUNT --key=NEW_KEY.
  3. Create a new key, and use the new key in the application. Delete the old key from the Service Account.
  4. Create a new key, and use the new key in the application. Store the old key on the system as a backup key.

Answer(s): C

Explanation:

You can rotate a key by creating a new key, updating applications to use the new key, and deleting the old key. Use the serviceAccount.keys.create() method and serviceAccount.keys.delete() method together to automate the rotation.


Reference:

https://cloud.google.com/iam/docs/understanding-service-accounts



Your team needs to configure their Google Cloud Platform (GCP) environment so they can centralize the control over networking resources like firewall rules, subnets, and routes. They also have an on- premises environment where resources need access back to the GCP resources through a private VPN connection. The networking resources will need to be controlled by the network security team.

Which type of networking design should your team use to meet these requirements?

  1. Shared VPC Network with a host project and service projects
  2. Grant Compute Admin role to the networking team for each engineering project
  3. VPC peering between all engineering projects using a hub and spoke model
  4. Cloud VPN Gateway between all engineering projects using a hub and spoke model

Answer(s): A


Reference:

https://cloud.google.com/docs/enterprise/best-practices-for-enterprise- organizations#centralize_network_control

Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.



Viewing Page 5 of 48



Share your comments for Google PROFESSIONAL-CLOUD-SECURITY-ENGINEER exam with other users:

Andy 12/6/2023 5:56:00 AM

very valid questions
Anonymous


Mamo 8/12/2023 7:46:00 AM

will these question help me to clear pl-300 exam?
UNITED STATES


Marial Manyang 7/26/2023 10:13:00 AM

please provide me with these dumps questions. thanks
Anonymous


Amel Mhamdi 12/16/2022 10:10:00 AM

in the pdf downloaded is write google cloud database engineer i think that it isnt the correct exam
FRANCE


Angel 8/30/2023 10:58:00 PM

i think you have the answers wrong regarding question: "what are three core principles of web content accessibility guidelines (wcag)? answer: robust, operable, understandable
UNITED STATES


SH 5/16/2023 1:43:00 PM

these questions are not valid , they dont come for the exam now
UNITED STATES


sudhagar 9/6/2023 3:02:00 PM

question looks valid
UNITED STATES


Van 11/24/2023 4:02:00 AM

good for practice
Anonymous


Divya 8/2/2023 6:54:00 AM

need more q&a to go ahead
Anonymous


Rakesh 10/6/2023 3:06:00 AM

question 59 - a newly-created role is not assigned to any user, nor granted to any other role. answer is b https://docs.snowflake.com/en/user-guide/security-access-control-overview
Anonymous


Nik 11/10/2023 4:57:00 AM

just passed my exam today. i saw all of these questions in my text today. so i can confirm this is a valid dump.
HONG KONG


Deep 6/12/2023 7:22:00 AM

needed dumps
INDIA


tumz 1/16/2024 10:30:00 AM

very helpful
UNITED STATES


NRI 8/27/2023 10:05:00 AM

will post once the exam is finished
UNITED STATES


kent 11/3/2023 10:45:00 AM

relevant questions
Anonymous


Qasim 6/11/2022 9:43:00 AM

just clear exam on 10/06/2202 dumps is valid all questions are came same in dumps only 2 new questions total 46 questions 1 case study with 5 question no lab/simulation in my exam please check the answers best of luck
Anonymous


Cath 10/10/2023 10:09:00 AM

q.112 - correct answer is c - the event registry is a module that provides event definitions. answer a - not correct as it is the definition of event log
VIET NAM


Shiji 10/15/2023 1:31:00 PM

good and useful.
INDIA


Ade 6/25/2023 1:14:00 PM

good questions
Anonymous


Praveen P 11/8/2023 5:18:00 AM

good content
UNITED STATES


Anastasiia 12/28/2023 9:06:00 AM

totally not correct answers. 21. you have one gcp account running in your default region and zone and another account running in a non-default region and zone. you want to start a new compute engine instance in these two google cloud platform accounts using the command line interface. what should you do? correct: create two configurations using gcloud config configurations create [name]. run gcloud config configurations activate [name] to switch between accounts when running the commands to start the compute engine instances.
Anonymous


Priyanka 7/24/2023 2:26:00 AM

kindly upload the dumps
Anonymous


Nabeel 7/25/2023 4:11:00 PM

still learning
Anonymous


gure 7/26/2023 5:10:00 PM

excellent way to learn
UNITED STATES


ciken 8/24/2023 2:55:00 PM

help so much
Anonymous


Biswa 11/20/2023 9:28:00 AM

understand sql col.
Anonymous


Saint Pierre 10/24/2023 6:21:00 AM

i would give 5 stars to this website as i studied for az-800 exam from here. it has all the relevant material available for preparation. i got 890/1000 on the test.
Anonymous


Rose 7/24/2023 2:16:00 PM

this is nice.
Anonymous


anon 10/15/2023 12:21:00 PM

q55- the ridac workflow can be modified using flow designer, correct answer is d not a
UNITED STATES


NanoTek3 6/13/2022 10:44:00 PM

by far this is the most accurate exam dumps i have ever purchased. all questions are in the exam. i saw almost 90% of the questions word by word.
UNITED STATES


eriy 11/9/2023 5:12:00 AM

i cleared the az-104 exam by scoring 930/1000 on the exam. it was all possible due to this platform as it provides premium quality service. thank you!
UNITED STATES


Muhammad Rawish Siddiqui 12/8/2023 8:12:00 PM

question # 232: accessibility, privacy, and innovation are not data quality dimensions.
SAUDI ARABIA


Venkat 12/27/2023 9:04:00 AM

looks wrong answer for 443 question, please check and update
Anonymous


Varun 10/29/2023 9:11:00 PM

great question
Anonymous