Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > Google > Google Certifications > PROFESSIONAL-CLOUD-SECURITY-ENGINEER > PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice Questions and Answers

PROFESSIONAL-CLOUD-SECURITY-ENGINEER Online Practice Questions and Answers

Questions 4

Your company is using Cloud Dataproc for its Spark and Hadoop jobs. You want to be able to create, rotate, and destroy symmetric encryption keys used for the persistent disks used by Cloud Dataproc. Keys can be stored in the cloud.

What should you do?

A. Use the Cloud Key Management Service to manage the data encryption key (DEK).

B. Use the Cloud Key Management Service to manage the key encryption key (KEK).

C. Use customer-supplied encryption keys to manage the data encryption key (DEK).

D. Use customer-supplied encryption keys to manage the key encryption key (KEK).

Buy Now

Correct Answer: B

This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK). For more information on Google data encryption keys, see Encryption at Rest.

https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/customer-managed-encryption https://codelabs.developers.google.com/codelabs/encrypt-and-decrypt-data-with-cloud-kms#0

Questions 5

Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).

Which steps should your team take before an incident occurs? (Choose two.)

A. Disable and revoke access to compromised keys.

B. Enable automatic key version rotation on a regular schedule.

C. Manually rotate key versions on an ad hoc schedule.

D. Limit the number of messages encrypted with each key version.

E. Disable the Cloud KMS API.

Buy Now

Correct Answer: BD

As per document "Limiting the number of messages encrypted with the same key version helps prevent attacks enabled by cryptanalysis." https://cloud.google.com/kms/docs/key-rotation

Questions 6

You are tasked with exporting and auditing security logs for login activity events for Google Cloud console and API calls that modify configurations to Google Cloud resources. Your export must meet the following requirements:

Export related logs for all projects in the Google Cloud organization.

Export logs in near real-time to an external SIEM.

What should you do? (Choose two.)

A. Create a Log Sink at the organization level with a Pub/Sub destination.

B. Create a Log Sink at the organization level with the includeChildren parameter, and set the destination to a Pub/Sub topic.

C. Enable Data Access audit logs at the organization level to apply to all projects.

D. Enable Google Workspace audit logs to be shared with Google Cloud in the Admin Console.

E. Ensure that the SIEM processes the AuthenticationInfo field in the audit log entry to gather identity information.

Buy Now

Correct Answer: BD

Reference:

https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/ https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#services "Google Workspace Login Audit: Login Audit logs track user sign-ins to your domain. These logs only

record the login event. They don't record which system was used to perform the login action."

Questions 7

You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.

What should you do?

A. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.

B. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.

C. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.

D. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.

Buy Now

Correct Answer: B

https://cloud.netapp.com/blog/gcp-cvo-blg-how-to-use-google-cloud-encryption-with-a-persistent-disk

Questions 8

An office manager at your small startup company is responsible for matching payments to invoices and creating billing alerts. For compliance reasons, the office manager is only permitted to have the Identity and Access Management (IAM) permissions necessary for these tasks. Which two IAM roles should the office manager have? (Choose two.)

A. Organization Administrator

B. Project Creator

C. Billing Account Viewer

D. Billing Account Costs Manager

E. Billing Account User

Buy Now

Correct Answer: CD

https://cloud.google.com/billing/docs/how-to/billing-access#overview-of-cloud-billing-roles-in-cloud-iam Billing Account Costs Manager (roles/billing.costsManager) -Manage budgets and view and export cost information of billing accounts (but

not pricing information)

Billing Account Viewer (roles/billing.viewer)

-View billing account cost information and transactions.

Questions 9

You are a security administrator at your company. Per Google-recommended best practices, you implemented the domain restricted sharing organization policy to allow only required domains to access your projects. An engineering team is now reporting that users at an external partner outside your organization domain cannot be granted access to the resources in a project. How should you make an exception for your partner's domain while following the stated best practices?

A. Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."

B. Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.

C. Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.

D. Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

Buy Now

Correct Answer: D

https://cloud.google.com/resource-manager/docs/organization-policy/restricting- domains#setting_the_organization_policy

The domain restriction constraint is a type of list constraint. Google Workspace customer IDs can be added and removed from the allowed_values list of a domain restriction constraint.

The domain restriction constraint does not support denying values, and an organization policy can't be saved with IDs in the denied_values list.

All domains associated with a Google Workspace account listed in the allowed_values will be allowed by the organization policy.

All other domains will be denied by the organization policy.

Questions 10

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

A. Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.

B. Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/ iam.disableServiceAccountCreation organization policy at the project level.

C. Create a custom service account for the cluster Enable the constraints/ iam.disableServiceAccountKeyCreation organization policy at the project level.

D. Create a custom service account for the cluster Enable the constraints/ iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

Buy Now

Correct Answer: C

Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/ restricting-service- accounts#example_policy_boolean_constraint

Questions 11

Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery. What should you do?

A. Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems. Provide the raw CSEK as part of the API call.

B. Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM). Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

C. Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.

D. Create a Cloud Key Management Service (KMS) key with imported key material. Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

Buy Now

Correct Answer: C

The correct answer is C. Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.

Cloud EKM allows you to use encryption keys that are stored and managed in a third-party key management system deployed outside of Google's infrastructure. This gives your organization full control over the keys used to encrypt data at rest in Google Cloud environments, including BigQuery.

Questions 12

Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs, but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (IAM) roles at the right resource level for the developers and security team while you ensure least privilege.

What should you do?

A. 1. Grant logging.viewer role to the security team at the organization resource level.

2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.

B. 1. Grant logging.viewer role to the security team at the organization resource level.

2. Grant logging.admin role to the developer team at the organization resource level.

C. 1. Grant logging.admin role to the security team at the organization resource level.

2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.

D. 1. Grant logging.admin role to the security team at the organization resource level.

2. Grant logging.admin role to the developer team at the organization resource level.

Buy Now

Correct Answer: A

Grant logging.viewer role to the security team at the organization resource level. This allows the security team to view all logs in both production and development environments. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects. This allows the developers to view all application development audit logs, but not the production logs, ensuring least privilege.

Questions 13

For data residency requirements, you want your secrets in Google Clouds Secret Manager to only have payloads in europe-west1 and europe-west4. Your secrets must be highly available in both regions. What should you do?

A. Create your secret with a user managed replication policy, and choose only compliant locations.

B. Create your secret with an automatic replication policy, and choose only compliant locations.

C. Create two secrets by using Terraform, one in europe-west1 and the other in europe-west4.

D. Create your secret with an automatic replication policy, and create an organizational policy to deny secret creation in non-compliant locations.

Buy Now

Correct Answer: A

A is the correct. https://cloud.google.com/secret-manager/docs/choosing-replication#user-managed

Exam Code: PROFESSIONAL-CLOUD-SECURITY-ENGINEER
Exam Name: Professional Cloud Security Engineer
Last Update: May 25, 2026
Questions: 324

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2026 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.