• Home
  • Articles
  • 100% Real Professional-Cloud-Security-Engineer dumps - Brilliant Professional-Cloud-Security-Engineer Exam Questions PDF [Q135-Q151]

100% Real Professional-Cloud-Security-Engineer dumps - Brilliant Professional-Cloud-Security-Engineer Exam Questions PDF [Q135-Q151]

Share

100% Real Professional-Cloud-Security-Engineer dumps  - Brilliant Professional-Cloud-Security-Engineer Exam Questions PDF

Professional-Cloud-Security-Engineer Exam PDF [2023] Tests Free Updated Today with Correct 235 Questions

NEW QUESTION # 135
You perform a security assessment on a customer architecture and discover that multiple VMs have public IP addresses. After providing a recommendation to remove the public IP addresses, you are told those VMs need to communicate to external sites as part of the customer's typical operations. What should you recommend to reduce the need for public IP addresses in your customer's VMs?

  • A. Cloud VPN
  • B. Cloud Router
  • C. Cloud NAT
  • D. Google Cloud Armor

Answer: C

Explanation:
Explanation
https://cloud.google.com/nat/docs/overview


NEW QUESTION # 136
You are in charge of creating a new Google Cloud organization for your company. Which two actions should you take when creating the super administrator accounts? (Choose two.)

  • A. Provide non-privileged identities to the super admin users for their day-to-day activities.
  • B. Use a private connection to create the super admin accounts to avoid sending your credentials over the Internet.
  • C. Disable any Identity and Access Management (1AM) roles for super admin at the organization level in the Google Cloud Console.
  • D. Create an access level in the Google Admin console to prevent super admin from logging in to Google Cloud.
  • E. Use a physical token to secure the super admin credentials with multi-factor authentication (MFA).

Answer: A,E

Explanation:
https://cloud.google.com/resource-manager/docs/super-admin-best-practices#discourage_super_admin_account_usage
- Use a security key or other physical authentication device to enforce two-step verification - Give super admins a separate account that requires a separate login


NEW QUESTION # 137
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

  • A. ISO 27002
  • B. ISO 27001
  • C. ISO 27018
  • D. ISO 27017

Answer: D


NEW QUESTION # 138
As adoption of the Cloud Data Loss Prevention (DLP) API grows within the company, you need to optimize usage to reduce cost. DLP target data is stored in Cloud Storage and BigQuery. The location and region are identified as a suffix in the resource name.
Which cost reduction options should you recommend?

  • A. Set appropriate rowsLimit value on BigQuery data hosted outside the US and set appropriate bytesLimitPerFile value on multiregional Cloud Storage buckets.
  • B. Set appropriate rowsLimit value on BigQuery data hosted outside the US, and minimize transformation units on multiregional Cloud Storage buckets.
  • C. Use rowsLimit and bytesLimitPerFile to sample data and use CloudStorageRegexFileSet to limit scans.
  • D. Use FindingLimits and TimespanContfig to sample data and minimize transformation units.

Answer: C

Explanation:
Explanation
https://cloud.google.com/dlp/docs/inspecting-storage#sampling
https://cloud.google.com/dlp/docs/best-practices-costs#limit_scans_of_files_in_to_only_relevant_files


NEW QUESTION # 139
You are a Security Administrator at your organization. You need to restrict service account creation capability within production environments. You want to accomplish this centrally across the organization. What should you do?

  • A. Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.
  • B. Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.
  • C. Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.
  • D. Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.

Answer: B


NEW QUESTION # 140
Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.
How should your team design this network?

  • A. Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.
  • B. Create a different subnet for the frontend application and database to ensure network isolation.
  • C. Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
  • D. Create an ingress firewall rule to allow access only from the application to the database using firewall tags.

Answer: D

Explanation:
"However, even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped"


NEW QUESTION # 141
Your company requires the security and network engineering teams to identify all network anomalies and be able to capture payloads within VPCs. Which method should you use?

  • A. Enable VPC Flow Logs on the subnet.
  • B. Define an organization policy constraint.
  • C. Monitor and analyze Cloud Audit Logs.
  • D. Configure packet mirroring policies.

Answer: D

Explanation:
https://cloud.google.com/vpc/docs/packet-mirroring
Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.


NEW QUESTION # 142
Applications often require access to "secrets" - small pieces of sensitive data at build or run time. The administrator managing these secrets on GCP wants to keep a track of "who did what, where, and when?" within their GCP projects.
Which two log streams would provide the information that the administrator is looking for? (Choose two.)

  • A. Data Access logs
  • B. System Event logs
  • C. VPC Flow logs
  • D. Admin Activity logs
  • E. Agent logs

Answer: A,D

Explanation:
Reference:
https://cloud.google.com/kms/docs/secret-management


NEW QUESTION # 143
A large e-retailer is moving to Google Cloud Platform with its ecommerce website. The company wants to ensure payment information is encrypted between the customer's browser and GCP when the customers checkout online.
What should they do?

  • A. Configure an SSL Certificate on an L7 Load Balancer and require encryption.
  • B. Configure the firewall to allow inbound traffic on port 443, and block all other inbound traffic.
  • C. Configure an SSL Certificate on a Network TCP Load Balancer and require encryption.
  • D. Configure the firewall to allow outbound traffic on port 443, and block all other outbound traffic.

Answer: A

Explanation:
https://cloud.google.com/load-balancing/docs/load-balancing-overview#external_versus_internal_load_balancing


NEW QUESTION # 144
Which international compliance standard provides guidelines for information security controls applicable to the provision and use of cloud services?

  • A. ISO 27002
  • B. ISO 27001
  • C. ISO 27018
  • D. ISO 27017

Answer: D

Explanation:
Explanation
Create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
https://cloud.google.com/security/compliance/iso-27017


NEW QUESTION # 145
You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

  • A. 1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
    2. In Cloud KMS, grant your Google Cloud project access to use the key.
  • B. 1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project.
    2. Grant your Google Cloud project access to a supported external key management partner system.
  • C. 1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system.
    2. In the external key management partner system, grant access for this key to use your Google Cloud project.
  • D. 1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS).
    2. In Cloud KMS, grant your Google Cloud project access to use the key.

Answer: C


NEW QUESTION # 146
You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive dat a. Your solution has the following requirements:
Schedule key rotation for sensitive data.
Control which region the encryption keys for sensitive data are stored in.
Minimize the latency to access encryption keys for both sensitive and non-sensitive data.
What should you do?

  • A. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
  • B. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
  • C. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.
  • D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

Answer: B

Explanation:
Google uses a common cryptographic library, Tink, which incorporates our FIPS 140-2 Level 1 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. To provideflexibility of controlling the key residency and rotation schedule, use google provided key for non-sensitive and encrypt sensitive data with Cloud Key Management Service


NEW QUESTION # 147
Your security team uses encryption keys to ensure confidentiality of user dat a. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).
Which steps should your team take before an incident occurs? (Choose two.)

  • A. Manually rotate key versions on an ad hoc schedule.
  • B. Disable and revoke access to compromised keys.
  • C. Enable automatic key version rotation on a regular schedule.
  • D. Limit the number of messages encrypted with each key version.
  • E. Disable the Cloud KMS API.

Answer: B,C


NEW QUESTION # 148
Your organization has had a few recent DDoS attacks. You need to authenticate responses to domain name lookups.
Which Google Cloud service should you use?

  • A. Cloud DNS with DNSSEC
  • B. HTTP(S) Load Balancing
  • C. Cloud NAT
  • D. Google Cloud Armor

Answer: A


NEW QUESTION # 149
Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren't compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by the underlying host system by using a hardware-based solution.
What should you do?

  • A. * 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
    * 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly
  • B. * 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium
    * 2 Monitor the findings in SCC
  • C. * 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring
    * 2 Activate Confidential Computing
    * 3 Enforce these actions by using organization policies
  • D. * 1 Use secure hardened images from the Google Cloud Marketplace
    * 2 When deploying the images activate the Confidential Computing option
    * 3 Enforce the use of the correct images and Confidential Computing by using organization policies

Answer: C


NEW QUESTION # 150
Your team uses a service account to authenticate data transfers from a given Compute Engine virtual machine instance of to a specified Cloud Storage bucket. An engineer accidentally deletes the service account, which breaks application functionality. You want to recover the application as quickly as possible without compromising security.
What should you do?

  • A. Temporarily disable authentication on the Cloud Storage bucket.
  • B. Update the permissions of another existing service account and supply those credentials to the applications.
  • C. Create a new service account with the same name as the deleted service account.
  • D. Use the undelete command to recover the deleted service account.

Answer: D


NEW QUESTION # 151
......

Verified & Correct Professional-Cloud-Security-Engineer Practice Test Reliable Source Dec 23, 2023 Updated: https://www.troytecdumps.com/Professional-Cloud-Security-Engineer-troytec-exam-dumps.html

Google Professional-Cloud-Security-Engineer Exam Preparation Guide and PDF Download: https://drive.google.com/open?id=1vzc1gKTTXcxLLyvEDWAz2Xbt-W_ZHm-M

Related Articles

more
Google Professional-Cloud-Security-Engineer Certification Practice Exam

Copyright © 2026 TroytecDumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimer:
TroytecDumps doesn't offer Real CompTIA Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
TroytecDumps material do not contain actual actual Oracle Exam Questions or material.
TroytecDumps doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
TroytecDumps Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
TroytecDumps.com does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. TroytecDumps does not own or claim any ownership on any of the brands.