01. Your company is deploying their applications on Google Kubernetes Engine. You want to follow Google-recommended practices. What should you do to ensure that the container images used for new deployments contain the latest security patches?
a) Use an update script as part of every container image startup.
b) Use Container Analysis to detect vulnerabilities in images.
c) Use Google-managed base images for all containers.
d) Use exclusively private images in Container Registry.
02. A retail company is moving its e-commerce site, including its point-of-sale application, to Google Cloud. Which compliance standard must the company meet?
a) FedRAMP High
b) HIPAA
c) SOX
d) PCI DSS
03. You are responsible for implementing a payment processing environment that will use Google Kubernetes Engine and need to apply proper security controls. What should you do?
a) Require file integrity monitoring and antivirus scans of pods and nodes.
b) Activate a firewall to prevent all egress traffic.
c) Establish minimum password length requirements for all systems.
d) Implement and enforce two-factor authentication.
04. A cloud customer has an on-premises key management system and wants to generate, protect, rotate, and audit encryption keys with it. How can the customer use Cloud Storage with their own encryption keys?
a) Declare usage of default encryption at rest in the audit report on compliance
b) Upload encryption keys to the same Cloud Storage bucket
c) Use Customer-Supplied Encryption Keys (CSEK)
d) Use Customer Managed Encryption Keys (CMEK)
05. You want to protect the default VPC network from all inbound and outbound internet traffic. What action should you take?
a) Create a Deny All inbound internet firewall rule.
b) Create a Deny All outbound internet firewall rule.
c) Create a new subnet in the VPC network with private Google access enabled.
d) Create instances without external IP addresses only.
06. Which encryption algorithm is used with Default Encryption in Cloud Storage?
a) AES-256
b) SHA512
c) MD5
d) 3DES
07. Your customer is moving their corporate applications to Google Cloud. The security team wants detailed visibility of all resources in the organization. You use Resource Manager to set yourself up as the org admin.
What Cloud Identity and Access Management (Cloud IAM) roles should you give to the security team?
a) Org viewer, Project owner
b) Org admin, Project browser
c) Org viewer, Project viewer
d) Project owner, Network admin
08. A customer wants to grant access to their application running on Compute Engine to write only to a specific Cloud Storage bucket. How should you grant access?
a) Create a service account for the application, and grant the Storage Object Creator role at the project level.
b) Create a service account for the application, and grant the Storage Object Creator role at the bucket level.
c) Create a user account, authenticate with the application, and grant the Storage Object Admin role at the bucket level.
d) Create a user account, authenticate with the application, and grant the Storage Object Admin role at the project level.
09. You have defined subnets in a VPC within Google Cloud. You need multiple projects to create Compute Engine instances with IP addresses from these subnets. What should you do?
a) Configure Cloud VPN between the projects.
b) Set up VPC peering between all related projects.
c) Change the VPC subnets to enable private Google access.
d) Use Shared VPC to share the subnets with the other projects.
10. An application log’s data, including customer identifiers such as email addresses, needs to be redacted. However, these logs also include the email addresses of internal developers from company.com, and these should NOT be redacted. Which solution should you use to meet these requirements?
a) Create a regular expression (regex) custom infoType detector to match on @company.com.
b) Create a regular custom dictionary detector that lists a subset of the developers' email addresses.
c) Create a regular custom dictionary detector to match all email addresses listed in Cloud Identity.
d) Create a custom infoType called COMPANY_EMAIL to match @company.com.
We have prepared Google Professional Cloud Security Engineer (GCP-PCSE) certification sample questions to make you aware of actual exam properties. This sample question set provides you with information about the Professional Cloud Security Engineer exam pattern, question formate, a difficulty level of questions and time required to answer each question. To get familiar with Google Cloud Platform - Professional Cloud Security Engineer (GCP-PCSE) exam, we suggest you try our Sample Google GCP-PCSE Certification Practice Exam in simulated Google certification exam environment.
