Oct-2025 Google Professional-Cloud-Security-Engineer Actual Questions and 100% Cover Real Exam Questions [Q113-Q134]

Share

Oct-2025 Google Professional-Cloud-Security-Engineer Actual Questions and 100% Cover Real Exam Questions

Professional-Cloud-Security-Engineer Free Exam Questions and Answers PDF Updated on Oct-2025

NEW QUESTION # 113
A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online.
What should they do?

  • A. Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.
  • B. Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
  • C. Configure an SSL Certificate on an L7 Load Balancer and require encryption.
  • D. Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.

Answer: C

Explanation:
Explanation
https://cloud.google.com/load-balancing/docs/load-balancing-overview#external_versus_internal_load_balancing


NEW QUESTION # 114
You need to set up two network segments: one with an untrusted subnet and the other with a trusted subnet. You want to configure a virtual appliance such as a next-generation firewall (NGFW) to inspect all traffic between the two network segments. How should you design the network to inspect the traffic?

  • A. 1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all traffic (0.0.0.0/0) pointed to the virtual appliance.
  • B. 1. Set up two VPC networks: one trusted and the other untrusted. 2. Configure a virtual appliance using multiple network interfaces, with each interface connected to one of the VPC networks.
  • C. 1. Set up two VPC networks: one trusted and the other untrusted, and peer them together. 2.
    Configure a custom route on each network pointed to the virtual appliance.
  • D. 1. Set up one VPC with two subnets: one trusted and the other untrusted. 2. Configure a custom route for all RFC1918 subnets pointed to the virtual appliance.

Answer: B

Explanation:
Multiple network interfaces. The simplest way to connect multiple VPC networks through a virtual appliance is by using multiple network interfaces, with each interface connecting to one of the VPC networks. Internet and on-premises connectivity is provided over one or two separate network interfaces. With many NGFW products, internet connectivity is connected through an interface marked as untrusted in the NGFW software.
https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/gcp/ftdv-gcp-gsg/ftdv-gcp- intro.html


NEW QUESTION # 115
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container.
What should they do?

  • A. Build small containers using small base images.
  • B. Use a Continuous Delivery tool to deploy the application.
  • C. Delete non-used versions from Container Registry.
  • D. Use Cloud Build to build the container images.

Answer: A

Explanation:
Explanation
Small containers usually have a smaller attack surface as compared to containers that use large base images.https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-how-and-why-to-build-small-conta


NEW QUESTION # 116
A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end-user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?

  • A. VPC Firewall Rules
  • B. Cloud CDN
  • C. Cloud Identity and Access Management
  • D. Cloud Armor

Answer: D


NEW QUESTION # 117
Your company conducts clinical trials and needs to analyze the results of a recent study that are stored in BigQuery. The interval when the medicine was taken contains start and stop dates. The interval data is critical to the analysis, but specific dates may identify a particular batch and introduce bias. You need to obfuscate the start and end dates for each row and preserve the interval data.
What should you do?

  • A. Use date shifting with the context set to the unique ID of the test subject.
  • B. Use the FFX mode of format preserving encryption (FPE) and maintain data consistency.
  • C. Extract the date using TimePartConfig from each date field and append a random month and year.
  • D. Use bucketing to shift values to a predetermined date based on the initial value.

Answer: A

Explanation:
https://cloud.google.com/dlp/docs/concepts-date-shifting


NEW QUESTION # 118
You have a highly sensitive BigQuery workload that contains personally identifiable information (PII) that you want to ensure is not accessible from the internet. To prevent data exfiltration, only requests from authorized IP addresses are allowed to query your BigQuery tables.
What should you do?

  • A. Use service perimeter and create an access level based on the authorized source IP address as the condition.
  • B. Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).
  • C. Use the Restrict Resource Service Usage organization policy constraint along with Cloud Data Loss Prevention (DLP).
  • D. Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.

Answer: A

Explanation:
This approach allows you to create a boundary that controls access to Google Cloud resources for services within the same perimeter. By creating an access level based on the authorized source IP address as the condition, you can ensure that only requests from authorized IP addresses are allowed to query your BigQuery tables. This effectively prevents data exfiltration and ensures that your sensitive BigQuery workload is not accessible from the internet.


NEW QUESTION # 119
You plan to use a Google Cloud Armor policy to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application's backend. What are two requirements for using Google Cloud Armor security policies? (Choose two.)

  • A. The load balancer must be an external SSL proxy load balancer.
  • B. The load balancer must use the Premium Network Service Tier.
  • C. Google Cloud Armor Policy rules can only match on Layer 7 (L7) attributes.
  • D. The load balancer must be an external HTTP(S) load balancer.
  • E. The backend service's load balancing scheme must be EXTERNAL.

Answer: D,E

Explanation:
Explanation
https://cloud.google.com/armor/docs/security-policy-overview#requirements says: The backend service's load balancing scheme must be EXTERNAL, or EXTERNAL_MANAGED *** if you are using global external HTTP(S) load balancer ***.


NEW QUESTION # 120
You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?

  • A. Cloud External Key Manager
  • B. Google default encryption
  • C. Customer-managed encryption keys
  • D. Customer-supplied encryption keys

Answer: C

Explanation:
To comply with GDPR requirements and manage encryption keys for workloads across multiple Google Cloud services, customer-managed encryption keys (CMEK) offer a suitable solution.
Customer-managed encryption keys (B):
CMEK allows you to create and manage encryption keys using Google Cloud Key Management Service (KMS). You maintain full control over the key lifecycle, including key rotation and destruction.
CMEK can be used with various Google Cloud services, such as Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub, ensuring consistent and compliant encryption across your environment.
Using CMEK, you can implement data protection by design, aligning with GDPR requirements by ensuring that encryption keys are appropriately managed and secured.
Reference:
Customer-Managed Encryption Keys Documentation
Encryption at Rest in Google Cloud


NEW QUESTION # 121
Your organization is transitioning to Google Cloud You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed. Container Registry and signed by a trusted authority.
What should you do?
Choose 2 answers

  • A. Enable Container Threat Detection in the Security Command Center (SCC) for the project.
  • B. Configure the trusted image organization policy constraint for the project.
  • C. Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).
  • D. Enable Pod Security standards and set them to Restricted.
  • E. Configure the Binary Authorization policy with respective attestations for the project.

Answer: C,E

Explanation:
* Configure Binary Authorization:
* Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on GKE. It uses attestations to verify the authenticity and integrity of the images.
* Enable Binary Authorization in your project through the Google Cloud Console or using the gcloud command-line tool.
* Define attestation policies that specify which attestors (trusted entities) must sign off on container images before deployment.
* Set Up Attestors:
* Create and configure attestors that will sign the container images. This involves generating cryptographic keys and setting up trusted authorities.
* Attestors can be configured to sign images based on criteria such as vulnerability scanning results, compliance checks, and other security policies.
* Create a Custom Organization Policy Constraint:
* Define an organization policy constraint that enforces Binary Authorization across your GKE clusters.
* This custom constraint ensures that all clusters in the organization must adhere to the Binary Authorization policy, preventing the deployment of unsigned or unauthorized container images.
* Implement and Enforce the Policies:
* Apply the Binary Authorization policy and the organization policy constraint to your GKE clusters.
* Regularly review and update the policies and attestation rules to align with your security and compliance requirements.
References:
* Binary Authorization Documentation
* Creating Attestors
* Organization Policy Constraints


NEW QUESTION # 122
Your organization wants to be continuously evaluated against CIS Google Cloud Computing Foundations Benchmark v1.3.0 (CIS Google Cloud Foundation 1.3). Some of the controls are irrelevant to your organization and must be disregarded in evaluation. You need to create an automated system or process to ensure that only the relevant controls are evaluated.
What should you do?

  • A. Download all findings from Security Command Center (SCC) to a CSV file. Mark the findings that are part of CIS Google Cloud Foundation 1.3 in the file. Ignore the entries that are irrelevant and out of scope for the company.
  • B. Mark all security findings that are irrelevant with a tag and a value that indicates a security exception. Select all marked findings, and mute them on the console every time they appear.
    Activate Security Command Center (SCC) Premium.
  • C. Activate Security Command Center (SCC) Premium. Create a rule to mute the security findings in SCC so they are not evaluated.
  • D. Ask an external audit company to provide independent reports including needed CIS benchmarks. In the scope of the audit, clarify that some of the controls are not needed and must be disregarded.

Answer: C

Explanation:
https://cloud.google.com/security-command-center/docs/how-to-mute-findings


NEW QUESTION # 123
You have been tasked with configuring Security Command Center for your organization's Google Cloud environment. Your security team needs to receive alerts of potential crypto mining in the organization's compute environment and alerts for common Google Cloud misconfigurations that impact security. Which Security Command Center features should you use to configure these alerts? (Choose two.)

  • A. Cloud Data Loss Prevention
  • B. Security Health Analytics
  • C. Container Threat Detection
  • D. Event Threat Detection
  • E. Google Cloud Armor

Answer: B,D

Explanation:
Explanation
https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview Event Threat Detection is a built-in service for the Security Command Center Premium tier that continuously monitors your organization and identifies threats within your systems in near-real time.https://cloud.google.com/security-command-center/docs/concepts-security-sources#security-health-analytic


NEW QUESTION # 124
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?

  • A. Compute Engine SSD Disk
  • B. Cloud Bigtable
  • C. Cloud BigQuery
  • D. Compute Engine Persistent Disk

Answer: C

Explanation:
https://cloud.google.com/bigquery#:~:text=BigQuery%20transparently%20and%20automatically%20provides,charge%20and%20no%20additional%20setup.&text=BigQuery%20also%20provides%20ODBC%20and,interact%20with%20its%20powerful%20engine.


NEW QUESTION # 125
You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)

  • A. Disable any Identity and Access Management (1AM) roles for super admin at the organization level in the Google Cloud Console.
  • B. Provide non-privileged identities to the super admin users for their day-to-day activities.
  • C. Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).
  • D. Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.
  • E. Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.

Answer: C,E


NEW QUESTION # 126
You need to connect your organization's on-premises network with an existing Google Cloud environment that includes one Shared VPC with two subnets named Production and Non- Production. You are required to:
- Use a private transport link.
- Configure access to Google Cloud APIs through private API endpoints originating from on- premises environments.
- Ensure that Google Cloud APIs are only consumed via VPC Service Controls.
What should you do?

  • A. 1. Set up a Cloud VPN link between the on-premises environment and Google Cloud. 2.
    Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.
  • B. 1. Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud.
    2. Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.
  • C. 1. Set up a Direct Peering link between the on-premises environment and Google Cloud. 2.
    Configure private access for both VPC subnets.
  • D. 1. Set up a Partner Interconnect link between the on-premises environment and Google Cloud. 2.
    Configure private access using the private.googleapis.com domains in on-premises DNS configurations.

Answer: B

Explanation:
restricted.googleapis.com (199.36.153.4/30) only provides access to Cloud and Developer APIs that support VPC Service Controls. VPC Service Controls are enforced for these services
https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid


NEW QUESTION # 127
When working with agents in a support center via online chat, an organization's customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for review by internal or external analysts for customer service trend analysis.
Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

  • A. Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
  • B. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.
  • C. Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
  • D. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.

Answer: D

Explanation:
https://cloud.google.com/dlp/docs/deidentify-sensitive-data


NEW QUESTION # 128
A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?

  • A. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
  • B. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
  • C. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
  • D. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

Answer: D

Explanation:
Because if you encrypt the object using CSEK, then you can't use google cloud console to upload the object.
https://cloud.google.com/storage/docs/encryption/customer-supplied-keys


NEW QUESTION # 129
You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?

  • A. Add the service project where the Compute Engine instances reside to the service perimeter.
  • B. Add the host project containing the Shared VPC to the service perimeter.
  • C. Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.
  • D. Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.

Answer: B

Explanation:
For VMs inside shared VPC, the host project needs to be added to the perimeter as well. I had real-life experience with this. However, this creates new security issues as all other VMs in other projects which are attached to shared subnets in the same host project then are also able to access the perimeter. Google recommends setting up Private Service Connect Endpoints to achieve subnet segregation for VPC-SC usage with Host projects.


NEW QUESTION # 130
Your organization leverages folders to represent different teams within your Google Cloud environment. To support Infrastructure as Code (IaC) practices, each team receives a dedicated service account upon onboarding. You want to ensure that teams have comprehensive permissions to manage resources within their assigned folders while adhering to the principle of least privilege. You must design the permissions for these team-based service accounts in the most effective way possible. What should you do?

  • A. Grant each service account the project creator role at the organization level and use folder-level IAM conditions to restrict project creation to specific folders.Reddit
  • B. Grant each service account the folder administrator role on its respective folder.
  • C. Assign each service account the project editor role at the organization level and instruct teams to use IAM bindings at the folder level for fine-grained permissions.
  • D. Assign each service account the folder IAM administrator role on its respective folder to allow teams to create and manage additional custom roles if needed.

Answer: B

Explanation:
To ensure that each team's service account has the necessary permissions to manage resources within their assigned folders while adhering to the principle of least privilege, the following considerations apply:
Folder Administrator Role: Granting each service account the Folder Administrator role on its respective folder provides comprehensive permissions to manage resources within that folder, including creating, updating, and deleting projects and resources. This approach ensures that teams have the necessary control over their environments without extending permissions beyond their assigned scope.
Principle of Least Privilege: By assigning permissions at the folder level, you limit the service account's access to only the resources within its designated folder, aligning with the principle of least privilege and reducing the risk of unauthorized access to other parts of the organization.
Therefore, Option A is the most effective approach, as it provides the necessary permissions for teams to manage their resources within their assigned folders while adhering to security best practices.
Reference:
Understanding Roles
Best Practices for Enterprise Organizations


NEW QUESTION # 131
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?

  • A. Compute Shared VPC Admin Role at the host project level.
  • B. Compute Shared VPC Admin Role at the service project level.
  • C. Compute Network User Role at the subnet level.
  • D. Compute Network User Role at the host project level.

Answer: A

Explanation:
Reference:
https://cloud.google.com/vpc/docs/shared-vpc


NEW QUESTION # 132
A customer wants to make it convenient for their mobile workforce to access a CRM web interface that is hosted on Google Cloud Platform (GCP). The CRM can only be accessed by someone on the corporate network. The customer wants to make it available over the internet.
Your team requires an authentication layer in front of the application that supports two-factor authentication Which GCP product should the customer implement to meet these requirements?

  • A. Cloud Endpoints
  • B. Cloud Armor
  • C. Cloud Identity-Aware Proxy
  • D. Cloud VPN

Answer: D


NEW QUESTION # 133
Your team sets up a Shared VPC Network where project co-vpc-prod is the host project. Your team has configured the firewall rules, subnets, and VPN gateway on the host project. They need to enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet.
What should your team grant to Engineering Group A to meet this requirement?

  • A. Compute Network User Role at the subnet level.
  • B. Compute Shared VPC Admin Role at the service project level.
  • C. Compute Shared VPC Admin Role at the host project level.
  • D. Compute Network User Role at the host project level.

Answer: A

Explanation:
To enable Engineering Group A to attach a Compute Engine instance to a specific subnet (10.1.1.0/24) in a Shared VPC, you should grant the Compute Network User Role at the subnet level. This role allows users to use the subnetwork for their instances without giving them broader permissions at the project level.
Step-by-Step:
Identify the Subnet: Locate the subnet (10.1.1.0/24) in the host project.
Grant Role:
Navigate to the GCP Console > VPC network > VPC networks.
Select the Shared VPC host project and locate the specific subnet.
Click on "Edit" and go to the "IAM & Admin" section.
Assign the "Compute Network User" role to Engineering Group A at the subnet level.
Verification: Ensure that Engineering Group A can now attach Compute Engine instances to the specified subnet.
Reference:
Shared VPC Overview
Compute Network User Role


NEW QUESTION # 134
......


Ensure Compliance

  • Regulatory Concerns Comprehension: The test takers should be able to evaluate the concerns related to network, data, and compute and be skillful enough to limit data and compute for regulatory compliance. They also need to have an understanding of the shared responsibility model for security and security guarantees in a Cloud execution environment;
  • Compute Environment Concerns Comprehension: The considerations for this area include the determination of which compute environment is relevant based on the compliance standards of a company. Also, a potential candidate should have some knowledge of security constraints and guarantees for each of the computing environments.

Google Professional Cloud Security Engineer Exam Cover Topics

Candidates must know the exam topics before they start of preparation. Because it will really help them in hitting the core. Our Google Professional Cloud Security Engineer exam dumps will include the following topics:

  • Ensuring data protection
  • Configuring access within a cloud solution environment
  • Configuring network security
  • Ensuring compliance
  • Management of operations in a cloud solution environment

 

Google Professional-Cloud-Security-Engineer Real 2025 Braindumps Mock Exam Dumps: https://www.validbraindumps.com/Professional-Cloud-Security-Engineer-exam-prep.html

Latest Professional-Cloud-Security-Engineer Exam Dumps Recently Updated 268 Questions: https://drive.google.com/open?id=1ZLTN36NBA0d_-aYXitBQ65qxz5GIsot4