Free Practice Google Professional-Cloud-Security-Engineer Exam Questions 2025

Stay ahead with 100% Free Professional Cloud Security Engineer Professional-Cloud-Security-Engineer Dumps Practice Questions

Page: 1 / 60

Total 299 Questions | Updated On: Dec 17, 2019

Add To Cart

Question 1

You run applications on Cloud Run. You already enabled container analysis for vulnerability scanning.

However, you are concerned about the lack of control on the applications that are deployed. You must ensure

that only trusted container images are deployed on Cloud Run.

What should you do?

Choose 2 answers

A : Enable Binary Authorization on the existing Kubernetes cluster.

B : Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to the list of allowed Binary Authorization policy names.

C : Set the organization policy constraint constraints/compute.trustedimageProjects to the list of protects that contain the trusted container images

D : Enable Binary Authorization on the existing Cloud Run service

E : Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

Answer: B,D

Question 2

Your organization is building a real-time recommendation engine using ML models that process live user activity data stored in BigQuery and Cloud Storage. Each new model developed is saved to Artifact Registry. This new system deploys models to Google Kubernetes Engine and uses Pub/Sub for message queues. Recent industry news has been reporting attacks exploiting ML model supply chains. You need to enhance the security in this serverless architecture, specifically against risks to the development and deployment pipeline. What should you do?

A : Limit external libraries and dependencies that are used for the ML models as much as possible. Continuously rotate encryption keys that are used to access the user data from BigQuery and Cloud Storage.

B : Enable container image vulnerability scanning during development and pre-deployment. Enforce Binary Authorization on images deployed from Artifact Registry to your continuous integration and continuous deployment (CI/CD) pipeline.

C : Thoroughly sanitize all training data prior to model development to reduce risk of poisoning attacks. Use IAM for authorization, and apply role-based restrictions to code repositories and cloud services.

D : Develop strict firewall rules to limit external traffic to Cloud Run instances. Integrate intrusion detection systems (IDS) for real-time anomaly detection on Pub/Sub message flows.

Answer: B

Question 3

Your Google Cloud environment has one organization node, one folder named Apps." and several projects within that folder The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allowsmembers from the terramearth.com organization The "Apps" folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property. You attempt to grant access to a project in the Apps folder to the user [email protected]. What is the result of your action and why?

A : The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily

B : The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed

C : The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder

D : The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.

Answer: B

Question 4

You will create a new Service Account that should be able to list the Compute Engine instances in the project.

You want to follow Google-recommended practices.

What should you do?

A : Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.

B : Create a custom role with the permission compute.instances.list and grant the Service Account this role

C : Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances

D : Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Answer: B

Question 5

A company is running their webshop on Google Kubernetes Engine and wants to analyze customer

transactions in BigQuery. You need to ensure that no credit card numbers are stored in BigQuery

What should you do?

A : Create a BigQuery view with regular expressions matching credit card numbers to query and delete affected rows

B : Use the Cloud Data Loss Prevention API to redact related infoTypes before data is ingested into BigQuery.

C : Leverage Security Command Center to scan for the assets of type Credit Card Number in BigQuery

D : Enable Cloud Identity-Aware Proxy to filter out credit card numbers before storing the logs in BigQuery.

Answer: D

Page: 1 / 60

Total 299 Questions | Updated On: Dec 17, 2019

Add To Cart