Professional Cloud Security Engineer Exam (PROFESSIONAL-CLOUD-SECURITY-ENGINEER) - Google Cloud Actual Exam Questions
Last updated on May 14, 2026
Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process. What should you do?
Use the Cloud Key Management Service to manage a data encryption key (DEK).
Use the Cloud Key Management Service to manage a key encryption key (KEK). 4XHVWLRQV�DQG�$QVZHUV�3') ������
Use customer-supplied encryption keys to manage the data encryption key (DEK).
Use customer-supplied encryption keys to manage the key encryption key (KEK).
to join the discussion
No discussions yet. Be the first to ask!
Delete Comment
Are you sure? This action cannot be undone.
In a shared security responsibility model for IaaS, which two layers of the stack does the customer share responsibility for? (Choose two.)
Hardware
Network Security
Storage Encryption
Access Policies 4XHVWLRQV�DQG�$QVZHUV�3') ������
Boot
to join the discussion
No discussions yet. Be the first to ask!
Delete Comment
Are you sure? This action cannot be undone.
Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users. What should you do?
Manage SAML profile assignments. •
Create a new SAML profile. •
Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant •
Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant. •
Upload the X.509 certificate. •
Populate the sign-in and sign-out page URLs. •
Verify the AD domain. •
Verify the domain.
Enable the change password URL. •
Upload the X.509 certificate. •
Decide which users should use SAML. •
Configure Entity ID and ACS URL in your IdP.
Configure Entity ID and ACS URL in your IdP
Assign the pre-configured profile to the select organizational units (OUs) and groups.
1- Create a new SAML profile. •
to join the discussion
No discussions yet. Be the first to ask!
Delete Comment
Are you sure? This action cannot be undone.
A customer has an analytics workload running on Compute Engine that should have limited internet access. Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet. The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do? 4XHVWLRQV�DQG�$QVZHUV�3') ������
Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.
to join the discussion
No discussions yet. Be the first to ask!
Delete Comment
Are you sure? This action cannot be undone.
A customer’s company has multiple business units. Each business unit operates independently, and each has their own engineering group. Your team wants visibility into all projects created within the company and wants to organize their Google Cloud Platform (GCP) projects based on different business units. Each business unit also requires separate sets of IAM permissions. Which strategy should you use to meet these needs?
Create an organization node, and assign folders for each business unit.
Establish standalone projects for each business unit, using gmail.com accounts.
Assign GCP resources in a project, with a label identifying which business unit owns the resource.
Assign GCP resources in a VPC for each business unit to separate network access. 4XHVWLRQV�DQG�$QVZHUV�3') ������
to join the discussion
No discussions yet. Be the first to ask!
Delete Comment
Are you sure? This action cannot be undone.
Finish Practice?
Are you sure you want to finish? This will end your practice session.