Free Preparation Discussions
MENU
Google Professional Cloud Security Engineer Exam Questions
- Topic 1: Design and Implement a secure infrastructure on Google Cloud Platform
- Topic 2: Understanding of security best practices and industry security requirements
- Topic 3: Manages a secure infrastructure leveraging Google security technologies
- Topic 4: All aspects of Cloud Secur
Free Google Professional Cloud Security Engineer Exam Actual Questions
Note: Premium Questions for Professional Cloud Security Engineer were last updated On Mar. 01, 2026 (see below)
Your company's Chief Information Security Officer (CISO) creates a requirement that business data must be stored in specific locations due to regulatory requirements that affect the company's global expansion plans. After working on the details to implement this requirement, you determine the following:
The services in scope are included in the Google Cloud Data Residency Terms.
The business data remains within specific locations under the same organization.
The folder structure can contain multiple data residency locations.
You plan to use the Resource Location Restriction organization policy constraint. At which level in the resource hierarchy should you set the constraint?
The Resource Location Restriction organization policy constraint ensures that business data is stored in specific geographic locations, which is critical for compliance with regulatory requirements.
Organization Level: Setting the constraint at the organization level ensures that all resources within the organization, including those in different folders or projects, adhere to the location restrictions. This provides a unified policy application across the entire organization, ensuring compliance with regulatory requirements.
Policy Application: The policy will propagate down the resource hierarchy, ensuring that all relevant services within the organization comply with the specified data residency requirements.
This approach provides centralized control and simplifies the management of data residency constraints.
Organization Policy Service Documentation
A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE).
How should the DevOps team accomplish this?
When a vulnerability patch is released for a running container in Google Kubernetes Engine (GKE), the recommended approach is to update the application code or apply the patch directly to the codebase. Then, a new container image should be built incorporating these changes. After building the new image, it should be deployed to replace the running containers. This method ensures that the containers run the updated, secure code.
Steps:
Update Application Code: Modify the application code or dependencies to incorporate the vulnerability patch.
Build New Image: Use a tool like Docker to build a new container image with the updated code.
Push New Image: Push the new container image to the Container Registry.
Update Deployments: Update the Kubernetes deployment to use the new image. This can be done by modifying the image tag in the deployment YAML file.
Redeploy Containers: Apply the updated deployment configuration using kubectl apply -f <deployment-file>.yaml, which will redeploy the containers with the new image.
Google Cloud: Container security
Kubernetes: Updating an application
You need to enable VPC Service Controls and allow changes to perimeters in existing environments without preventing access to resources. Which VPC Service Controls mode should you use?
A batch job running on Compute Engine needs temporary write access to a Cloud Storage bucket. You want the batch job to use the minimum permissions necessary to complete the task. What should you do?
To provide temporary write access to a Cloud Storage bucket with the minimum permissions necessary, you should:
Identify the Compute Engine instance's default service account: Each Compute Engine instance has a default service account that is used to interact with other Google Cloud services.
Assign the storage.objectCreator role: This predefined IAM role grants permissions to create objects in a Cloud Storage bucket, which is sufficient for temporary write access. It does not grant permissions to read or delete objects, thus adhering to the principle of least privilege.
Avoid using full permissions or long-lived keys: Options A and C suggest using broader permissions than necessary or embedding long-lived keys, which could pose a security risk if compromised.
Service account impersonation (Option D)is not necessary for this task and would be more appropriate for scenarios where you need to assume a different identity with different permissions.
You are using Security Command Center (SCC) to protect your workloads and receive alerts for suspected security breaches at your company You need to detect cryptocurrency mining software Which SCC service should you use?
The goal is to detect cryptocurrency mining software using Security Command Center (SCC)
Security Command Center Threat Detection Services: SCC Premium and Enterprise tiers offer various specialized threat detection services
Virtual Machine Threat Detection (VMTD): This service is explicitly designed to scan virtual machines (Compute Engine instances and GKE nodes) for specific threats, including cryptocurrency mining software It operates at the hypervisor level, performing deep scans of VM memory and disksExtract Reference: 'Virtual Machine Threat Detection (VMTD) helps you detect potential threats, such as cryptocurrency mining and malware, within your Compute Engine instances and GKE nodes' (Google Cloud Documentation: 'Virtual Machine Threat Detection overview | Security Command Center' - https://cloudgooglecom/security-command-center/docs/concepts-vm-threat-detection-overview)
Extract Reference: 'This service scans virtual machines to detect potentially malicious applications, such as cryptocurrency mining software, kernel-mode rootkits, and malware running in compromised cloud environments' (Google Cloud Documentation: 'Virtual Machine Threat Detection overview | Security Command Center' - https://cloudgooglecom/security-command-center/docs/concepts-vm-threat-detection-overview)
Let's evaluate the other options:
A Web Security Scanner: This service scans for common web application vulnerabilities like XSS, Flash injection, and mixed content It is not designed to detect runtime threats like cryptocurrency mining software
B Container Threat Detection: While Container Threat Detection (CTD) also detects cryptocurrency mining, it specifically focuses on runtime threats within GKE containers The question asks for detection of 'cryptocurrency mining software' generally, and VMs are a common target for such activity (and GKE nodes are VMs) VMTD provides a more general detection across Compute Engine VMs and GKE nodes for this specific type of threat If the context explicitly mentioned containers or Cloud Run, CTD would be the more specific answer However, for a general detection of 'software' on 'workloads', and given that VMTD explicitly lists 'cryptocurrency mining software' for VMs, it is the most direct and broadly applicable answer among the choices
C Rapid Vulnerability Detection: This service actively scans internet-exposed assets for network vulnerabilities and misconfigurations It focuses on finding known vulnerabilities, not detecting active malicious processes like cryptocurrency mining
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Carla
1 day agoCaitlin
14 days agoKimbery
21 days agoShakira
28 days agoPrecious
1 month agoHeidy
1 month agoMoon
2 months agoBillye
2 months agoGeorgeanna
2 months agoGeorgene
2 months agoMari
3 months agoLoren
3 months agoDesmond
3 months agoBettina
3 months agoAntonette
4 months agoLai
4 months agoIvette
4 months agoSantos
4 months agoMarget
5 months agoStephanie
5 months agoGlenna
5 months agoLetha
6 months agoLucina
6 months agoRoxanne
6 months agoLenny
8 months agoMalcom
9 months agoAntonio
10 months agoMargurite
11 months agoAugustine
1 year agoCraig
1 year agoMiles
1 year agoShawnta
1 year agoArlyne
1 year agoAn
1 year agoLaurel
1 year agoChun
1 year agoRenea
1 year agoRessie
1 year agoLashawna
1 year agoJospeh
1 year agoMiriam
1 year agoJavier
1 year agoJoesph
1 year agoBettina
1 year agoCurtis
1 year agoStefany
2 years agoChun
2 years agoKarina
2 years agoRaylene
2 years agoDaniela
2 years agoOcie
2 years agoKatie
2 years ago