Passleader Professional-Cloud-Security-Engineer Questions are updated and all Professional-Cloud-Security-Engineer answers are verified by experts. Once you have completely prepared with our Professional-Cloud-Security-Engineer exam prep kits you will be ready for the real Professional-Cloud-Security-Engineer exam without a problem. We have Avant-garde Google Professional-Cloud-Security-Engineer dumps study guide. PASSED Professional-Cloud-Security-Engineer First attempt! Here What I Did.

Also have Professional-Cloud-Security-Engineer free dumps questions for you:

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)

  • A. Public IP
  • B. IP Forwarding
  • C. Private Google Access
  • D. Static routes
  • E. IAM Network User Role

Answer: CD

A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?

  • A. Use Cloud Source Repositories, and store secrets in Cloud SQL.
  • B. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
  • C. Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
  • D. Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.

Answer: B

A customer has 300 engineers. The company wants to grant different levels of access and efficiently manage IAM permissions between users in the development and production environment projects.
Which two steps should the company take to meet these requirements? (Choose two.)

  • A. Create a project with multiple VPC networks for each environment.
  • B. Create a folder for each development and production environment.
  • C. Create a Google Group for the Engineering team, and assign permissions at the folder level.
  • D. Create an Organizational Policy constraint for each folder environment.
  • E. Create projects for each environment, and grant IAM rights to each engineering user.

Answer: BD

A customer deploys an application to App Engine and needs to check for Open Web Application Security Project (OWASP) vulnerabilities.
Which service should be used to accomplish this?

  • A. Cloud Armor
  • B. Google Cloud Audit Logs
  • C. Cloud Security Scanner
  • D. Forseti Security

Answer: C

When working with agents in a support center via online chat, an organization’s customers often share pictures of their documents with personally identifiable information (PII). The organization that owns the support center is concerned that the PII is being stored in their databases as part of the regular chat logs they retain for
review by internal or external analysts for customer service trend analysis.
Which Google Cloud solution should the organization use to help resolve this concern for the customer while still maintaining data utility?

  • A. Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.
  • B. Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.
  • C. Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.
  • D. Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Answer: D


Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.
What should you do?

  • A. Temporarily disable authentication on the Cloud Storage bucket.
  • B. Use the undelete command to recover the deleted service account.
  • C. Create a new service account with the same name as the deleted service account.
  • D. Update the permissions of another existing service account and supply those credentials to the applications.

Answer: B

A customer needs to prevent attackers from hijacking their domain/IP and redirecting users to a malicious site through a man-in-the-middle attack.
Which solution should this customer use?

  • A. VPC Flow Logs
  • B. Cloud Armor
  • C. DNS Security Extensions
  • D. Cloud Identity-Aware Proxy

Answer: C

Your company is storing sensitive data in Cloud Storage. You want a key generated on-premises to be used in the encryption process.
What should you do?

  • A. Use the Cloud Key Management Service to manage a data encryption key (DEK).
  • B. Use the Cloud Key Management Service to manage a key encryption key (KEK).
  • C. Use customer-supplied encryption keys to manage the data encryption key (DEK).
  • D. Use customer-supplied encryption keys to manage the key encryption key (KEK).

Answer: A

A customer wants to deploy a large number of 3-tier web applications on Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?

  • A. Run each tier in its own Project, and segregate using Project labels.
  • B. Run each tier with a different Service Account (SA), and use SA-based firewall rules.
  • C. Run each tier in its own subnet, and use subnet-based firewall rules.
  • D. Run each tier with its own VM tags, and use tag-based firewall rules.

Answer: C

You are part of a security team investigating a compromised service account key. You need to audit which new resources were created by the service account.
What should you do?

  • A. Query Data Access logs.
  • B. Query Admin Activity logs.
  • C. Query Access Transparency logs.
  • D. Query Stackdriver Monitoring Workspace.

Answer: A

You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
What should you do?

  • A. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
  • B. Create a custom role with the permission compute.instances.list and grant the Service Account this role.
  • C. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
  • D. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Answer: A

An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies. They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?

  • A. Configuring and monitoring VPC Flow Logs
  • B. Defending against XSS and SQLi attacks
  • C. Manage the latest updates and security patches for the Guest OS
  • D. Encrypting all stored data

Answer: D

In order to meet PCI DSS requirements, a customer wants to ensure that all outbound traffic is authorized. Which two cloud offerings meet this requirement without additional compensating controls? (Choose two.)

  • A. App Engine
  • B. Cloud Functions
  • C. Compute Engine
  • D. Google Kubernetes Engine
  • E. Cloud Storage

Answer: AC

You are on your company's development team. You noticed that your web application hosted in staging on GKE dynamically includes user data in web pages without first properly validating the inputted data. This could allow an attacker to execute gibberish commands and display arbitrary content in a victim user's browser in a production environment.
How should you prevent and fix this vulnerability?

  • A. Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.
  • B. Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.
  • C. Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.
  • D. Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Answer: D

A website design company recently migrated all customer sites to App Engine. Some sites are still in progress and should only be visible to customers and company employees from any location.
Which solution will restrict access to the in-progress sites?

  • A. Upload an .htaccess file containing the customer and employee user accounts to App Engine.
  • B. Create an App Engine firewall rule that allows access from the customer and employee networks and denies all other traffic.
  • C. Enable Cloud Identity-Aware Proxy (IAP), and allow access to a Google Group that contains the customer and employee user accounts.
  • D. Use Cloud VPN to create a VPN connection between the relevant on-premises networks and the company’s GCP Virtual Private Cloud (VPC) network.

Answer: C


P.S. Easily pass Professional-Cloud-Security-Engineer Exam with 177 Q&As Dumps & pdf Version, Welcome to Download the Newest Professional-Cloud-Security-Engineer Dumps: (177 New Questions)