Free Practice Google Professional-Cloud-Security-Engineer Exam Questions 2025

Stay ahead with 100% Free Professional Cloud Security Engineer Professional-Cloud-Security-Engineer Dumps Practice Questions

Page: 1 / 60

Total 299 Questions | Updated On: Mar 27, 2025

Add To Cart

Question 1

Your Google Cloud environment has one organization node, one folder named Apps." and several projects within that folder The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allowsmembers from the terramearth.com organization The "Apps" folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property. You attempt to grant access to a project in the Apps folder to the user [email protected]. What is the result of your action and why?

A : The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily

B : The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed

C : The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder

D : The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.

Answer: B

Question 2

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

A : Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials

B : Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/ iam.disableServiceAccountCreation organization policy at the project level.

C : Create a custom service account for the cluster Enable the constraints/ iam.disableServiceAccountKeyCreation organization policy at the project level

D : Create a custom service account for the cluster Enable the constraints/ iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

Answer: C

Question 3

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

A : Implement Cloud VPN for the region where the bastion host lives.

B : Implement OS Login with 2-step verification for the bastion host.

C : Implement Identity-Aware Proxy TCP forwarding for the bastion host.

D : Implement Google Cloud Armor in front of the bastion host.

Answer: C

Question 4

As an Online education platform company, you need to develop an internal App Engine application that can access a user's Google Drive without relying on current user credentials, while following Google's recommended practices. What steps should you take to accomplish this using Google Cloud Services?

A : To impersonate the user, you should create a new service account and provide it G Suite domain-wide delegation, which the application can use.

B : To ensure secure operations of the application, it is recommended to use a separate G Suite Admin account and authenticate the application's activities using these credentials.

C : Generate a fresh Service account and assign Service Account User role to all the users of the application.

D : To grant access to all application users, a new Service account should be created and a Google Group should be created and all application users should be added to this group. Then, grant the Service Account User role to this group.

Answer: A

Question 5

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning.

However, you are concerned about the lack of control on the applications that are deployed. You must ensure

that only trusted container images are deployed on Cloud Run.

What should you do?

Choose 2 answers

A : Enable Binary Authorization on the existing Kubernetes cluster.

B : Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to the list of allowed Binary Authorization policy names.

C : Set the organization policy constraint constraints/compute.trustedimageProjects to the list of protects that contain the trusted container images

D : Enable Binary Authorization on the existing Cloud Run service

E : Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

Answer: B,D

Page: 1 / 60

Total 299 Questions | Updated On: Mar 27, 2025

Add To Cart