Updated Jun 14, 2026 Verified Pass Professional-Cloud-Security-Engineer Exam in First Attempt Guaranteed [Q120-Q139]

Updated Jun 14, 2026 Verified Pass Professional-Cloud-Security-Engineer Exam in First Attempt Guaranteed

Free Professional-Cloud-Security-Engineer Sample Questions and 100% Cover Real Exam Questions (Updated 320 Questions)

The PCSE exam covers a wide range of topics related to cloud security, including network security, data protection, identity and access management, compliance, and incident response. Professional-Cloud-Security-Engineer exam is designed to validate the candidate's ability to design and implement secure solutions on GCP, as well as to manage and monitor security controls to ensure the ongoing protection of GCP resources.

Google Professional Cloud Security Engineer Practice Test Questions, Google Professional Cloud Security Engineer Exam dumps

The Google Professional Cloud Security Engineer certification is designed to validate the skills of the candidates in designing and implementing a secure infrastructure on GCP. The applicants for this certificate have an understanding of the industry security requirements and security best practices. They also develop, design, and manage secure infrastructures by leveraging the Google security technologies. To obtain the certification, the individuals must pass one qualifying exam.

Ensure Data Protection

• Data Loss Prevention with DLP API: This domain measures the examinees’ skills and competence in the configuration of tokenization, identification, and redaction of PII, restriction of access to DLP datasets, and configuration of format preservation substitution;
• Management of Encryption at Rest: This part requires the candidates’ knowledge of the use cases for customer-supplied encryption keys, default encryption, and customer-managed encryption keys. It also validates their competence in the creation and management of encryption keys for CSEK and CMEK. In addition, the applicants should have an understanding of envelope encryption, enclave computing, and application secrets management.

 

NEW QUESTION # 120
You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS). in project
"pr j -a", and the Cloud Storage bucket will use project "prj-b". The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key. and you need to troubleshoot why.
What has caused the access issue?

• A. The CMEK is in a different project than the Cloud Storage bucket
• B. Cloud HSM does not support Cloud Storage
• C. The CMEK is in a different region than the Cloud Storage bucket.
• D. A firewall rule prevents the key from being accessible.

Answer: C

Explanation:
When you use a customer-managed encryption key (CMEK) to secure a Cloud Storage bucket, the key and the bucket must be located in the same region. In this case, the key is in europe-west3 and the bucket is in europe-west1, which is why you're unable to access the key.

NEW QUESTION # 121
A customer's internal security team must manage its own encryption keys for encrypting data on Cloud Storage and decides to use customer-supplied encryption keys (CSEK).
How should the team complete this task?

• A. Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.
• B. Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.
• C. Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.
• D. Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

Answer: D

Explanation:
To use customer-supplied encryption keys (CSEK) for encrypting data on Cloud Storage, follow these steps:
* Generate an Encryption Key: Generate a 256-bit AES encryption key. This key should be base64- encoded.
sh
Copy code
openssl rand -base64 32
* Upload Object with CSEK: Use the gsutil command-line tool to upload the object to Cloud Storage, specifying the location of the encryption key using the -o option.
gsutil -o "GSUtil:encryption_key=<base64-encoded-key>" cp [LOCAL_OBJECT_PATH] gs://
[BUCKET_NAME]/
* Verify Encryption: After uploading the object, you can verify that it is encrypted using the provided CSEK by checking the object's metadata.
gsutil stat gs://[BUCKET_NAME]/[OBJECT_NAME]
* Key Management: Ensure that the encryption key is securely stored and managed. It should not be hard-coded in scripts or applications.
By using the gsutil tool and specifying the encryption key, you ensure that the object is encrypted using the customer-supplied encryption key during the upload process.
References:
* Customer-Supplied Encryption Keys (CSEK) Documentation
* gsutil Command Line Tool Documentation

NEW QUESTION # 122
You want to prevent users from accidentally deleting a Shared VPC host project. Which organization-level policy constraint should you enable?

• A. compute.restrictXpnProjectLienRemoval
• B. compute.restrictSharedVpcHostProjects
• C. compute.restrictSharedVpcSubnetworks
• D. compute.sharedReservationsOwnerProjects

Answer: A

Explanation:
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy- constraints#constraints-for-specific-services
- constraints/compute.restrictXpnProjectLienRemoval
- Restrict shared VPC project lien removal
This boolean constraint restricts the set of users that can remove a Shared VPC host project lien without organization-level permission where this constraint is set to True.
By default, any user with the permission to update liens can remove a Shared VPC host project lien. Enforcing this constraint requires that permission be granted at the organization level.

NEW QUESTION # 123
Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT. Everyday, you must patch all VMs with critical OS updates and provide summary reports.
What should you do?

• A. Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM, and configure a daily cron job to enable for OS updates at night during low activity periods.
• B. Ensure that VM Manager is installed and running on the VMs. In the OS patch management service, configure the patch jobs to update with critical patches dally.
• C. Copy the latest patches to the Cloud Storage bucket. Log in to each VM, download the patches from the bucket, and install them.
• D. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM and execute OS specific update commands. Configure the Cloud Scheduler job to update with critical patches daily for daily updates.

Answer: B

Explanation:
VM manager is a suite of tools used to automate managing of the fleet of VMs (including OS patching).
https://cloud.google.com/compute/docs/vm-manager

NEW QUESTION # 124
You work for a large organization that recently implemented a 100GB Cloud Interconnect connection between your Google Cloud and your on-premises edge router. While routinely checking the connectivity, you noticed that the connection is operational but there is an error message that indicates MACsec is operationally down. You need to resolve this error. What should you do?

• A. Ensure that the on-premises router is not down.
• B. Ensure that the Cloud Interconnect connection supports MACsec.
• C. Ensure that the active pre-shared key matches on both the on-premises and Google edge routers.
• D. Ensure that the active pre-shared key created for MACsec is not expired on both the on-premises and Google edge routers.

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
MACsec (Media Access Control Security) relies on a shared secret (a pre-shared key, made up of a Connectivity Key Name, CKN, and Connectivity Association Key, CAK) to establish a secure session between the two endpoints. If the session is "operationally down," it indicates a cryptographic mismatch.
Extracts:
"MACsec is operationally down on my Cloud Interconnect connection... The issue could be caused by one of the following: The active keys on your on-premises router and Google's edge routers don't match." (Source
3.1)
The troubleshooting guide further specifies checking that the "active CKN, CAK, and start times on your on- premises router match the values that MACsec for Cloud Interconnect displays." (Source 3.1) Therefore, the primary and most common step to resolve a "MACsec is operationally down" status is to verify that the cryptographic keys (the pre-shared key) are correctly configured and match on both the on-premises and Google Cloud routers.

NEW QUESTION # 125
You want to evaluate GCP for PCI compliance. You need to identify Google's inherent controls.
Which document should you review to find the information?

• A. PCI SSC Cloud Computing Guidelines
• B. PCI DSS Requirements and Security Assessment Procedures
• C. Google Cloud Platform: Customer Responsibility Matrix
• D. Product documentation for Compute Engine

Answer: A

Explanation:
https://cloud.google.com/solutions/pci-dss-compliance-in-gcp

NEW QUESTION # 126
You need to follow Google-recommended practices to leverage envelope encryption and encrypt data at the application layer.
What should you do?

• A. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the encrypted DEK.
• B. Generate a data encryption key (DEK) locally to encrypt the data, and generate a new key encryption key (KEK) in Cloud KMS to encrypt the DEK. Store both the encrypted data and the KEK.
• C. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the encrypted DEK.
• D. Generate a new data encryption key (DEK) in Cloud KMS to encrypt the data, and generate a key encryption key (KEK) locally to encrypt the key. Store both the encrypted data and the KEK.

Answer: A

Explanation:
Reference: https://cloud.google.com/kms/docs/envelope-encryption
Envelope Encryption: https://cloud.google.com/kms/docs/envelope-encryption Here are best practices for managing DEKs:
-Generate DEKs locally.
-When stored, always ensure DEKs are encrypted at rest.
- For easy access, store the DEK near the data that it encrypts.
The DEK is encrypted (also known as wrapped) by a key encryption key (KEK). The process of encrypting a key with another key is known as envelope encryption.
Here are best practices for managing KEKs:
-Store KEKs centrally. (KMS )
-Set the granularity of the DEKs they encrypt based on their use case. For example, consider a workload that requires multiple DEKs to encrypt the workload's data chunks. You could use a single KEK to wrap all DEKs that are responsible for that workload's encryption.
-Rotate keys regularly, and also after a suspected incident.

NEW QUESTION # 127
You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

• A. Use only applications certified compliant with PA-DSS.
• B. Use VPN for all connections between your office and cloud environments.
• C. Use multi-factor authentication for admin access to the web application.
• D. Move the cardholder data environment into a separate GCP project.

Answer: D

Explanation:
To reduce the scope of systems subject to PCI audit standards, segregate the cardholder data environment (CDE) into a separate GCP project. This ensures that only the project containing the CDE will be subject to PCI DSS compliance, reducing the audit scope for other projects.
* Create Separate GCP Project:
* Go to the Cloud Console, navigate to IAM & Admin > Manage Resources.
* Click "Create Project" and set up a new project for the CDE.
* Migrate CDE:
* Transfer the systems processing, storing, or transmitting cardholder data to the new project.
* Apply PCI DSS Controls:
* Implement PCI DSS required controls on the new project.
* Use appropriate security measures such as firewalls, access controls, and encryption.
References:
* Google Cloud and PCI DSS
* Creating and Managing Projects

NEW QUESTION # 128
Your organization is using GitHub Actions as a continuous integration and delivery (Cl/CD) platform. You must enable access to Google Cloud resources from the Cl/CD pipelines in the most secure way.
What should you do?

• A. Configure workload identity federation to use GitHub as an identity pool provider.
• B. Configure a Google Kubernetes Engine cluster that uses Workload Identity to supply credentials to GitHub.
• C. Create a service account key and add it to the GitHub repository content.
• D. Create a service account key and add it to the GitHub pipeline configuration file.

Answer: A

Explanation:
* Challenge:
* Ensuring secure access to Google Cloud resources from GitHub Actions CI/CD pipelines without directly managing service account keys.
* Workload Identity Federation:
* Allows for the delegation of access to Google Cloud resources based on federated identities, such as those from GitHub.
* Benefits:
* This approach eliminates the need to manage service account keys, reducing the risk of key leakage.
* It leverages GitHub's identity provider capabilities to authenticate and authorize access.
* Steps to Configure Workload Identity Federation:
* Step 1: Create a workload identity pool in Google Cloud.
* Step 2: Add GitHub as an identity provider within the pool.
* Step 3: Configure the necessary permissions and bindings for the identity pool to allow GitHub Actions to access Google Cloud resources.
* Step 4: Update the GitHub Actions workflow to use the identity federation for authentication.
References:
* Workload Identity Federation
* Configuring Workload Identity Federation with GitHub

NEW QUESTION # 129
You are the security admin of your company. Your development team creates multiple GCP projects under the "implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects.
What should you do?

• A. Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.
• B. Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
• C. Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
• D. Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.

Answer: B

Explanation:
Setting up separate service perimeters for dev, staging, and prod environments allows for more granular control and monitoring. Automating the addition of new projects to the respective perimeters ensures that all projects are consistently secured without manual intervention.
Steps:
* Set Up Service Perimeters: Use Access Context Manager to define and configure three separate service perimeters for dev, staging, and prod.
* Deploy Monitoring Function: Create a Cloud Function that monitors the "implementation" folder for new projects using Stackdriver (Cloud Monitoring) and Cloud Pub/Sub.
* Automate Perimeter Updates: Configure the Cloud Function to execute Terraform scripts that automatically add new projects to the appropriate service perimeter.
References:
* Google Cloud: Access Context Manager
* Service perimeter automation

NEW QUESTION # 130
Which Identity-Aware Proxy role should you grant to an Identity and Access Management (IAM) user to access HTTPS resources?

• A. lAP-Secured Tunnel User
• B. Security Reviewer
• C. lAP-Secured Web App User
• D. Service Broker Operator

Answer: C

Explanation:
Explanation
IAP-Secured Tunnel User: Grants access to tunnel resources that use IAP. IAP-Secured Web App User:
Access HTTPS resources which use Identity-Aware Proxy, Grants access to App Engine, Cloud Run, and Compute Engine resources.
https://cloud.google.com/iap/docs/managing-access#roles

NEW QUESTION # 131
An engineering team is launching a web application that will be public on the internet. The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.
Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses Which solution should your team implement to meet these requirements?

• A. Network Load Balancing
• B. Cloud Armor
• C. SSL Proxy Load Balancing
• D. NAT Gateway

Answer: B

Explanation:
Google Cloud Armor provides protection against DDoS attacks and allows you to define security policies to control access to your application. It enables you to block traffic from specific IP addresses or ranges, making it suitable for denying traffic from a list of malicious IP addresses while protecting your application from being directly exposed to the internet.
Steps:
* Set Up Cloud Armor: Enable Cloud Armor in your Google Cloud Console.
* Create Security Policies: Define security policies that specify the rules for allowing or denying traffic based on IP addresses.
* Attach Policies to Backend Services: Apply these security policies to the backend services of your web application.
References:
* Google Cloud Armor documentation
* Creating and managing security policies

NEW QUESTION # 132
Your organization operates in a highly regulated environment and has a stringent set of compliance requirements for protecting customer data. You must encrypt data while in use to meet regulations. What should you do?

• A. Enable the use of customer-supplied encryption keys (CSEK) keys in the Google Compute Engine VMs to give your organization maximum control over their VM disk encryption.
• B. Use a Shielded VM to ensure a secure boot with integrity monitoring for the application environment.
• C. Establish a trusted execution environment with a Confidential VM.
• D. Use customer-managed encryption keys (CMEK) and Cloud KSM to enable your organization to control their keys for data encryption in Cloud SQL

Answer: C

Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The requirement is to protect data while in use (meaning data in memory or CPU registers, during processing). This is a concept addressed by Confidential Computing using Trusted Execution Environments (TEEs).
Extracts:
"Confidential VMs are an IaaS solution... Confidential VMs offer: Encryption for 'data in use', including the processor state and the virtual machine's memory." (Source 4.1)
"Confidential computing protects data during processing by isolating workloads inside hardware-based trusted execution environments (TEEs), ensuring even cloud operators cannot access them." (Source 4.3)
"Confidential VMs extend the standard virtual machine concept by adding hardware-enforced confidentiality controls... they ensure data remains encrypted not only at rest and in transit, but also while in use." (Source
4.4)
Options A (CMEK) and B (CSEK) protect data at rest (disk encryption). Option D (Shielded VM) protects integrity and prevents rootkit compromise but does not encrypt memory while the data is actively being processed. Only Confidential VM (or TEE) protects data in use.

NEW QUESTION # 133
A company is deploying their application on Google Cloud Platform. Company policy requires long-term data to be stored using a solution that can automatically replicate data over at least two geographic places.
Which Storage solution are they allowed to use?

• A. Compute Engine Persistent Disk
• B. Cloud BigQuery
• C. Compute Engine SSD Disk
• D. Cloud Bigtable

Answer: B

Explanation:
https://cloud.google.com/bigquery#:~:text=BigQuery%20transparently%20and%20automatically%20provides,charge%20and%20no%20additional%20setup.&text=BigQuery%20also%20provides%20ODBC%20and,interact%20with%20its%20powerful%20engine.

NEW QUESTION # 134
What are the steps to encrypt data using envelope encryption?

• A. Generate a data encryption key (DEK) locally.
  Encrypt data with the DEK.
  Use a key encryption key (KEK) to wrap the DEK.
  Store the encrypted data and the wrapped DEK.
• B. Generate a data encryption key (DEK) locally.
  Use a key encryption key (KEK) to wrap the DEK.
  Encrypt data with the KEK.
  Store the encrypted data and the wrapped KEK.
• C. Generate a key encryption key (KEK) locally.
  Generate a data encryption key (DEK) locally.
  Encrypt data with the KEK.
  Store the encrypted data and the wrapped DEK.
• D. Generate a key encryption key (KEK) locally.
  Use the KEK to generate a data encryption key (DEK).
  Encrypt data with the DEK.
  Store the encrypted data and the wrapped DEK.

Answer: A

Explanation:
The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS.
https://cloud.google.com/kms/docs/envelope-
encryption#how_to_encrypt_data_using_envelope_encryption

NEW QUESTION # 135
What are the steps to encrypt data using envelope encryption?

• A. Generate a data encryption key (DEK) locally.
  Encrypt data with the DEK.
  Use a key encryption key (KEK) to wrap the DEK. Store the encrypted data and the wrapped DEK.
• B. Generate a key encryption key (KEK) locally.
  Generate a data encryption key (DEK) locally. Encrypt data with the KEK.
  Store the encrypted data and the wrapped DEK.
• C. Generate a key encryption key (KEK) locally.
  Use the KEK to generate a data encryption key (DEK). Encrypt data with the DEK.
  Store the encrypted data and the wrapped DEK.
• D. Generate a data encryption key (DEK) locally.
  Use a key encryption key (KEK) to wrap the DEK. Encrypt data with the KEK.
  Store the encrypted data and the wrapped KEK.

Answer: A

Explanation:
Explanation
The process of encrypting data is to generate a DEK locally, encrypt data with the DEK, use a KEK to wrap the DEK, and then store the encrypted data and the wrapped DEK. The KEK never leaves Cloud KMS.https://cloud.google.com/kms/docs/envelope-encryption#how_to_encrypt_data_using_envelope_encryptio

NEW QUESTION # 136
You are working with developers to secure custom training jobs running on Vertex AI. For compliance reasons, all supported data types must be encrypted by key materials that reside in the Europe region and are controlled by your organization. The encryption activity must not impact the training operation in Vertex AI. What should you do?

• A. Encrypt the code, training data, and metadata with Google default encryption. Use customer- managed encryption keys (CMEK) for the trained models exported to Cloud Storage buckets.
• B. Encrypt the code, training data, and exported trained models with customer-managed encryption keys (CMEK).
• C. Encrypt the code, training data, and metadata with Google default encryption. Implement an organization policy that enforces a constraint to restrict the Cloud KMS location to the Europe region.
• D. Encrypt the code, training data, metadata, and exported trained models with customer-managed encryption keys (CMEK).

Answer: B

Explanation:
https://cloud.google.com/vertex-ai/docs/general/cmek#resources
In general, the CMEK key does not encrypt metadata associated with your operation, like the job's name and region, or a dataset's display name. Metadata associated with operations is always encrypted using Google's default encryption mechanism.

NEW QUESTION # 137
A company allows every employee to use Google Cloud Platform. Each department has a Google Group, with all department members as group members. If a department member creates a new project, all members of that department should automatically have read-only access to all new project resources. Members of any other department should not have access to the project. You need to configure this behavior.
What should you do to meet these requirements?

• A. Create a Folder per department under the Organization. For each department's Folder, assign the Project Browser role to the Google Group related to that department.
• B. Create a Project per department under the Organization. For each department's Project, assign the Project Browser role to the Google Group related to that department.
• C. Create a Folder per department under the Organization. For each department's Folder, assign the Project Viewer role to the Google Group related to that department.
• D. Create a Project per department under the Organization. For each department's Project, assign the Project Viewer role to the Google Group related to that department.

Answer: C

Explanation:
To configure the behavior where each department member automatically has read-only access to all new project resources created by any department member, you should use Google Cloud's folder structure and IAM roles effectively. Here are the steps:
Create Folders for Departments: Create a folder under your Organization for each department. Folders help organize resources and provide a hierarchy for applying policies and permissions.
Assign IAM Roles to Google Groups: Assign the Project Viewer role to the Google Group associated with each department at the folder level. This ensures that all members of the group have the necessary permissions.
Inherited Permissions: When a department member creates a new project under their department's folder, the permissions assigned to the folder are inherited by the new project. Thus, all department members will automatically have read-only access to the project's resources.
Navigate to IAM & Admin in the GCP Console.
Select "Folders" from the left-hand menu.
For each department, create a new folder under the organization.
Select the newly created folder, and then go to the "Permissions" tab.
Click on "Add" to assign a new role.
Enter the email address of the Google Group for the department.
Assign the "Project Viewer" role to the group.
Access Restrictions: Since the permissions are applied at the folder level, only the members of the specific department's Google Group will have read-only access to the projects created in that folder. Other departments will not have access unless explicitly granted.
By following these steps, you ensure that department members have the required access to their respective projects without manual configuration for each new project.
Reference:
Google Cloud IAM Documentation
Google Cloud Resource Manager Documentation

NEW QUESTION # 138
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in- scope" Nodes only. These Nodes can only contain the "in-scope" Pods.
How should the organization achieve this objective?

• A. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
• B. Run all in-scope Pods in the namespace "in-scope-pci".
• C. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
• D. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Answer: A

NEW QUESTION # 139
......

Download Real Google Professional-Cloud-Security-Engineer Exam Dumps Test Engine Exam Questions: https://freetorrent.actual4dumps.com/Professional-Cloud-Security-Engineer-study-material.html