Professional Cloud Security Engineer

Here you have the best Google Professional Cloud Security Engineer practice exam questions

  • You have 346 total questions to study from
  • Each page has 5 questions, making a total of 70 pages
  • You can navigate through the pages using the buttons at the bottom
  • This questions were last updated on October 14, 2025
  • This site is not affiliated with or endorsed by Google.
Question 1 of 346
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)
    Correct Answer: A, C

    To ensure that a Compute Engine instance does not have access to the internet or any Google APIs or services, you must disable 'Public IP' and 'Private Google Access'. Disabling the 'Public IP' prevents the instance from accessing the internet. 'Private Google Access' needs to be disabled to ensure the instance cannot access Google APIs and services via internal paths.

Question 2 of 346
Which two implied firewall rules are defined on a VPC network? (Choose two.)
    Correct Answer: A, B

    In a VPC network, two implied firewall rules are typically defined. One rule allows all outgoing connections, which ensures that instances can communicate externally (like accessing the internet). This aligns with the option 'a rule that allows all outbound connections'. The other rule denies all incoming connections, which helps protect instances from unsolicited inbound traffic by default. This corresponds to the option 'a rule that denies all inbound connections'. These default rules ensure a basic level of security and connectivity for instances within the VPC network.

Question 3 of 346
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?
    Correct Answer: B

    To securely store secrets and avoid putting them in source-code management systems, using encrypted storage is vital. Encrypting the secrets with a Customer-Managed Encryption Key (CMEK) and storing them in Cloud Storage is a valid approach that leverages strong encryption practices. This ensures that the secrets remain protected and accessible only by authorized entities. Other options such as using local SSDs on Compute Engine or storing secrets in Cloud SQL without encryption do not provide the same level of security and manageability.

Question 4 of 346
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?
    Correct Answer: A

    To meet the requirements of centrally managing GCP IAM permissions from an on-premises Active Directory Service by AD group membership, your team should set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups. Cloud Directory Sync ensures that the AD identities and groups are replicated in GCP, allowing IAM permissions to be applied directly to these synced groups. This method ensures seamless identity and access management integration between on-premises AD and GCP.

Question 5 of 346
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)
    Correct Answer: B, C

    When creating a secure container image, incorporating the packaging of a single app as a container is crucial for maintaining isolation and minimizing attack surfaces. Removing unnecessary tools not needed by the app reduces the potential vulnerabilities within the container. Avoid running an app as PID 1 because this can complicate handling of process signals, but this is more about functionality than security. Using public container images introduces the risk of utilizing untrusted sources, and using many container image layers can increase complexity without providing real security benefits.