Professional Cloud Security Engineer

Here you have the best Google Professional Cloud Security Engineer practice exam questions

  • You have 361 total questions across 73 pages (5 per page)
  • These questions were last updated on March 14, 2026
  • This site is not affiliated with or endorsed by Google.
Question 1 of 361
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)
Answer

Suggested Answer

The suggested answer is A, C.

To ensure that a Compute Engine instance does not have access to the internet or any Google APIs or services, you must disable 'Public IP' and 'Private Google Access'. Disabling the 'Public IP' prevents the instance from accessing the internet. 'Private Google Access' needs to be disabled to ensure the instance cannot access Google APIs and services via internal paths.

Community Votes8 votes
ACSuggested
100%
Question 2 of 361
Which two implied firewall rules are defined on a VPC network? (Choose two.)
Answer

Suggested Answer

The suggested answer is A, B.

In a VPC network, two implied firewall rules are typically defined. One rule allows all outgoing connections, which ensures that instances can communicate externally (like accessing the internet). This aligns with the option 'a rule that allows all outbound connections'. The other rule denies all incoming connections, which helps protect instances from unsolicited inbound traffic by default. This corresponds to the option 'a rule that denies all inbound connections'. These default rules ensure a basic level of security and connectivity for instances within the VPC network.

Community Votes6 votes
ABSuggested
100%
Question 3 of 361
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?
Answer

Suggested Answer

The suggested answer is B.

To securely store secrets and avoid putting them in source-code management systems, using encrypted storage is vital. Encrypting the secrets with a Customer-Managed Encryption Key (CMEK) and storing them in Cloud Storage is a valid approach that leverages strong encryption practices. This ensures that the secrets remain protected and accessible only by authorized entities. Other options such as using local SSDs on Compute Engine or storing secrets in Cloud SQL without encryption do not provide the same level of security and manageability.

Community Votes6 votes
BSuggested
100%
Question 4 of 361
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service. Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?
Answer

Suggested Answer

The suggested answer is A.

To meet the requirements of centrally managing GCP IAM permissions from an on-premises Active Directory Service by AD group membership, your team should set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups. Cloud Directory Sync ensures that the AD identities and groups are replicated in GCP, allowing IAM permissions to be applied directly to these synced groups. This method ensures seamless identity and access management integration between on-premises AD and GCP.

Community Votes15 votes
ASuggested
87%
B
13%
Question 5 of 361
When creating a secure container image, which two items should you incorporate into the build if possible? (Choose two.)
Answer

Suggested Answer

The suggested answer is B, C.

When creating a secure container image, incorporating the packaging of a single app as a container is crucial for maintaining isolation and minimizing attack surfaces. Removing unnecessary tools not needed by the app reduces the potential vulnerabilities within the container. Avoid running an app as PID 1 because this can complicate handling of process signals, but this is more about functionality than security. Using public container images introduces the risk of utilizing untrusted sources, and using many container image layers can increase complexity without providing real security benefits.

Community Votes5 votes
BCSuggested
100%

About the Google Professional Cloud Security Engineer Certification Exam

About the Exam

The Google Professional Cloud Security Engineer (Professional Cloud Security Engineer) validates your knowledge and skills. Passing demonstrates proficiency and can boost your career prospects in the field.

How to Prepare

Work through all 361 practice questions across 73 pages. Focus on understanding the reasoning behind each answer rather than memorizing responses to be ready for any variation on the real exam.

Why Practice Exams?

Practice exams help you familiarize yourself with the question format, manage your time, and reduce anxiety on the test day. Our Professional Cloud Security Engineer questions are regularly updated to reflect the latest exam objectives.