DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Professional Cloud Security Engineer Certification Pracatice Questions & Mock Tests, Google Professional Cloud Security Engineer | SPOTO

Prepare for the Professional Cloud Security Engineer certification exam with our comprehensive collection of practice questions and mock tests. As a Cloud Security Engineer, it's essential to design and implement secure workloads and infrastructure on Google Cloud. Our practice tests cover a wide range of topics, including security best practices and industry requirements, ensuring thorough preparation for the exam. With detailed explanations and answers provided, you'll gain the knowledge needed to design, develop, and manage secure solutions using Google security technologies effectively. Utilize our exam simulator to simulate real exam conditions and assess your readiness. Trust SPOTO for high-quality practice tests and expert guidance to excel in your Professional Cloud Security Engineer certification journey.
Take other online exams

Question #1
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?
A. ISO 27001
B. ISO 27002
C. ISO 27017
D. ISO 27018
View answer
Correct Answer: C
Question #2
What are the steps to encrypt data using envelope encryption?
A. Generate a data encryption key (DEK) locally
B. Generate a key encryption key (KEK) locally
C. Generate a data encryption key (DEK) locally
D. Generate a key encryption key (KEK) locally
View answer
Correct Answer: C
Question #3
An organization is starting to move its infrastructure from its on-premises environment to Google Cloud Platform (GCP). The first step the organization wants to take is to migrate its ongoing data backup and disaster recovery solutions to GCP. The organization's on-premises production environment is going to be the next phase for migration to GCP. Stable networking connectivity between the on-premises environment and GCP is also being implemented. Which GCP solution should the organization use?
A. BigQuery using a data pipeline job with continuous updates via Cloud VPN
B. Cloud Storage using a scheduled task and gsutil via Cloud Interconnect
C. Compute Engines Virtual Machines using Persistent Disk via Cloud Interconnect
D. Cloud Datastore using regularly scheduled batch upload jobs via Cloud VPN
View answer
Correct Answer: C
Question #4
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places. Which Storage solution are they allowed to use?
A. Cloud Bigtable
B. Cloud BigQuery
C. Compute Engine SSD Disk
D. Compute Engine Persistent Disk
View answer
Correct Answer: D
Question #5
Your team needs to prevent users from creating projects in the organization. Only the DevOps team should be allowed to create projects on behalf of the requester. Which two tasks should your team perform to handle this request? (Choose two.)
A. Remove all users from the Project Creator role at the organizational level
B. Create an Organization Policy constraint, and apply it at the organizational level
C. Grant the Project Editor role at the organizational level to a designated group of users
D. Add a designated group of users to the Project Creator role at the organizational level
E. Grant the billing account creator role to the designated DevOps team
View answer
Correct Answer: D
Question #6
In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard Which options should you recommend to meet the requirements?
A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module
B. Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances
C. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections
D. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications
View answer
Correct Answer: B
Question #7
Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement. How should your team meet these requirements?
A. Enable Private Access on the VPC network in the production project
B. Remove the Editor role and grant the Compute Admin IAM role to the engineers
C. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances
D. Set up a VPC network with two subnets: one with public IPs and one without public IPs
View answer
Correct Answer: B
Question #8
A DevOps team will create a new container to run on Google Kubernetes Engine. As the application will be internet-facing, they want to minimize the attack surface of the container. What should they do?
A. Use Cloud Build to build the container images
B. Build small containers using small base images
C. Delete non-used versions from Container Registry
D. Use a Continuous Delivery tool to deploy the application
View answer
Correct Answer: BD
Question #9
A customer is collaborating with another company to build an application on Compute Engine. The customer is building the application tier in their GCP Organization, and the other company is building the storage tier in a different GCP Organization. This is a 3-tier web application. Communication between portions of the application must not traverse the public internet by any means. Which connectivity option should be implemented?
A. VPC peering
B. Cloud VPN
C. Cloud Interconnect
D. Shared VPC
View answer
Correct Answer: D
Question #10
A customer has an analytics workload running on Compute Engine that should have limited internet access. Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet. The Compute Engine instances now need to reach out to the public repository to get security updates. What should your team do?
A. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000
B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000
C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000
D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000
View answer
Correct Answer: C
Question #11
While migrating your organization’s infrastructure to GCP, a large number of users will need to access GCP Console. The Identity Management team already has a well-established way to manage your users and want to keep using your existing Active Directory or LDAP server along with the existing SSO password. What should you do?
A. Manually synchronize the data in Google domain with your existing Active Directory or LDAP server
B. Use Google Cloud Directory Sync to synchronize the data in Google domain with your existing Active Directory or LDAP server
C. Users sign in directly to the GCP Console using the credentials from your on-premises Kerberos compliant identity provider
D. Users sign in using OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the GCP Console
View answer
Correct Answer: D
Question #12
A customer deployed an application on Compute Engine that takes advantage of the elastic nature of cloud computing. How can you work with Infrastructure Operations Engineers to best ensure that Windows Compute Engine VMs are up to date with all the latest OS patches?
A. Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally
B. Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object
C. Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs)
D. Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet
View answer
Correct Answer: BD
Question #13
A customer terminates an engineer and needs to make sure the engineer's Google account is automatically deprovisioned. What should the customer do?
A. Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity
B. Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity
C. Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity
D. Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity
View answer
Correct Answer: C
Question #14
You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys. What should you do?
A. Create a single KeyRing for all persistent disks and all Keys in this KeyRing
B. Create a single KeyRing for all persistent disks and all Keys in this KeyRing
C. Create a KeyRing per persistent disk, with each Keying containing a single Key
D. Create a KeyRing per persistent disk, with each KeyRing containing a single Key
View answer
Correct Answer: D
Question #15
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE) How should the DevOps team accomplish this?
A. Use Puppet or Chef to push out the patch to the running container
B. Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster
C. Update the application code or apply a patch, build a new image, and redeploy it
D. Configure containers to automatically upgrade when the base image is available in Container Registry
View answer
Correct Answer: C
Question #16
A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer’s browser and GCP when the customers checkout online. What should they do?
A. Configure an SSL Certificate on an L7 Load Balancer and require encryption
B. Configure an SSL Certificate on a Network TCP Load Balancer and require encryption
C. Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic
D. Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic
View answer
Correct Answer: B
Question #17
You are in charge of migrating a legacy application from your company datacenters to GCP before the current maintenance contract expires. You do not know what ports the application is using and no documentation is available for you to check. You want to complete the migration without putting your environment at risk. What should you do?
A. Migrate the application into an isolated project using a “Lift & Shift” approach
B. Migrate the application into an isolated project using a “Lift & Shift” approach in a custom network
C. Refactor the application into a micro-services architecture in a GKE cluster
D. Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project
View answer
Correct Answer: A
Question #18
An organization receives an increasing number of phishing emails. Which method should be used to protect employee credentials in this situation?
A. Multifactor Authentication
B. A strict password policy
C. Captcha on login pages
D. Encrypted emails
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: