Download Professional Cloud Security Engineer.Professional-Cloud-Security-Engineer.ExamTopics.2025-12-22.346q.tqb

Vendor: Google
Exam Code: Professional-Cloud-Security-Engineer
Exam Name: Professional Cloud Security Engineer
Date: Dec 22, 2025
File Size: 2 MB
Download Exam

How to open TQB files?

Files with TQB (Taurus Question Bank) extension can be opened by Taurus Exam Studio.

Download
Taurus Exam Studio

Purchase
Coupon: TAURUSSIM_20OFF

Discount: 20%

Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator Taurus Exam Simulator

Demo Questions

Question 1
An organization wants to track how bonus compensations have changed over time to identify employee outliers and correct earning disparities. This task must be performed without exposing the sensitive compensation data for any individual and must be reversible to identify the outlier.
Which Cloud Data Loss Prevention API technique should you use?
  1. Cryptographic hashing
  2. Redaction
  3. Format-preserving encryption
  4. Generalization
Correct answer: C
Explanation:
C: 13 - MostedD: 3
C: 13 - MostedD: 3
Question 2
For data residency requirements, you want your secrets in Google Clouds Secret Manager to only have payloads in europe-west1 and europe-west4. Your secrets must be highly available in both regions.
What should you do?
  1. Create your secret with a user managed replication policy, and choose only compliant locations.
  2. Create your secret with an automatic replication policy, and choose only compliant locations.
  3. Create two secrets by using Terraform, one in europe-west1 and the other in europe-west4.
  4. Create your secret with an automatic replication policy, and create an organizational policy to deny secret creation in non-compliant locations.
Correct answer: A
Explanation:
A: 9 - Mosted
A: 9 - Mosted
Question 3
Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT. Everyday, you must patch all VMs with critical OS updates and provide summary reports.
What should you do?
  1. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM and execute OS specific update commands. Configure the Cloud Scheduler job to update with critical patches daily for daily updates.
  2. Copy the latest patches to the Cloud Storage bucket. Log in to each VM, download the patches from the bucket, and install them.
  3. Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic. Log in to each VM, and configure a daily cron job to enable for OS updates at night during low activity periods.
  4. Ensure that VM Manager is installed and running on the VMs. In the OS patch management service, configure the patch jobs to update with critical patches dally.
Correct answer: D
Explanation:
D: 9 - Mosted
D: 9 - Mosted
Question 4
For compliance reporting purposes, the internal audit department needs you to provide the list of virtual machines (VMs) that have critical operating system (OS) security updates available, but not installed. You must provide this list every six months, and you want to perform this task quickly.
What should you do?
  1. Run a Security Command Center security scan on all VMs to extract a list of VMs with critical OS vulnerabilities every six months.
  2. Run a gcloud CLI command from the Command Line Interface (CLI) to extract the VM's OS version information every six months.
  3. Ensure that the Cloud Logging agent is installed on all VMs, and extract the OS last update log date every six months.
  4. Ensure the OS Config agent is installed on all VMs and extract the patch status dashboard every six months.
Correct answer: D
Explanation:
D: 7 - Mosted
D: 7 - Mosted
Question 5
Your application is deployed as a highly available, cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses, but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval.
What should you do?
  1. Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.
  2. Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified lime interval.
  3. Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.
  4. Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.
Correct answer: A
Explanation:
A: 8 - Mosted
A: 8 - Mosted
Question 6
Employees at your company use their personal computers to access your organization's Google Cloud console. You need to ensure that users can only access the Google Cloud console from their corporate-issued devices and verify that they have a valid enterprise certificate.
What should you do?
  1. Implement an Access Policy in BeyondCorp Enterprise to verify the device certificate. Create an access binding with the access policy just created.
  2. Implement a VPC firewall policy. Activate packet inspection and create an allow rule to validate and verify the device certificate.
  3. Implement an organization policy to verify the certificate from the access context.
  4. Implement an Identity and Access Management (IAM) conditional policy to verify the device certificate.
Correct answer: A
Explanation:
A: 5 - Mosted
A: 5 - Mosted
Question 7
Your organization is moving virtual machines (VMs) to Google Cloud. You must ensure that operating system images that are used across your projects are trusted and meet your security requirements.
What should you do?
  1. Implement an organization policy to enforce that boot disks can only be created from images that come from the trusted image project.
  2. Implement an organization policy constraint that enables the Shielded VM service on all projects to enforce the trusted image repository usage.
  3. Create a Cloud Function that is automatically triggered when a new virtual machine is created from the trusted image repository. Verify that the image is not deprecated.
  4. Automate a security scanner that verifies that no common vulnerabilities and exposures (CVEs) are present in your trusted image repository.
Correct answer: A
Explanation:
A: 9 - Mosted
A: 9 - Mosted
Question 8
You have a highly sensitive BigQuery workload that contains personally identifiable information (PII) that you want to ensure is not accessible from the internet. To prevent data exfiltration, only requests from authorized IP addresses are allowed to query your BigQuery tables.
What should you do?
  1. Use service perimeter and create an access level based on the authorized source IP address as the condition.
  2. Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.
  3. Use the Restrict Resource Service Usage organization policy constraint along with Cloud Data Loss Prevention (DLP).
  4. Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).
Correct answer: A
Explanation:
A: 9 - Mosted
A: 9 - Mosted
Question 9
Your company conducts clinical trials and needs to analyze the results of a recent study that are stored in BigQuery. The interval when the medicine was taken contains start and stop dates. The interval data is critical to the analysis, but specific dates may identify a particular batch and introduce bias. You need to obfuscate the start and end dates for each row and preserve the interval data.
What should you do?
  1. Use date shifting with the context set to the unique ID of the test subject.
  2. Extract the date using TimePartConfig from each date field and append a random month and year.
  3. Use bucketing to shift values to a predetermined date based on the initial value.
  4. Use the FFX mode of format preserving encryption (FPE) and maintain data consistency.
Correct answer: A
Explanation:
A: 11 - Mosted
A: 11 - Mosted
Question 10
Your organization develops software involved in many open source projects and is concerned about software supply chain threats. You need to deliver provenance for the build to demonstrate the software is untampered.
What should you do?
  1. 1. Hire an external auditor to review and provide provenance.
    2. Define the scope and conditions.
    3. Get support from the Security department or representative.
    4. Publish the attestation to your public web page.
  2. 1. Review the software process.
    2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact.
    3. Publish the PGP signed attestation to your public web page.
  3. 1. Publish the software code on GitHub as open source.
    2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.
  4. 1. Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build.
    2. View the build provenance in the Security insights side panel within the Google Cloud console.
Correct answer: D
Explanation:
D: 7 - Mosted
D: 7 - Mosted
CONNECT US
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX FILES

Use ProfExam Simulator to open VCEX files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!