Online Access Free Google.Professional-Cloud-Security-Engineer.v2023-10-27.q86 Practice Test (Page 6)

Professional-Cloud-Security-Engineer Exam Question 21

You define central security controls in your Google Cloud environment for one of the folders in your organization you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later you receive an alert about a new VM with an external IP address under that folder.
What could have caused this alert?

A.The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

B.At project level, the organizational policy control has been overwritten with an 'allow' value.

C.The policy constraint on the folder level does not have any effect because of an allow" value for that constraint on the organizational level.

D.The organizational policy constraint wasn't properly enforced and is running in "dry run mode.

Professional-Cloud-Security-Engineer Exam Question 22

Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)

A.IAM Network User Role

B.Private Google Access

C.Static routes

D.Public IP

E.IP Forwarding

Professional-Cloud-Security-Engineer Exam Question 23

You need to set up a Cloud interconnect connection between your company's on-premises data center and VPC host network. You want to make sure that on-premises applications can only access Google APIs over the Cloud Interconnect and not through the public internet. You are required to only use APIs that are supported by VPC Service Controls to mitigate against exfiltration risk to non-supported APIs. How should you configure the network?

A.Enable Private Google Access on the regional subnets and global dynamic routing mode.

B.Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

C.Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

D.Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

Professional-Cloud-Security-Engineer Exam Question 24

You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do? (Choose two.)

A.Grant users the compuce.imageUser role in their own projects.

B.Grant users the compuce.imageUser role in the OS image project.

C.Store the image in every project that is spun up in your organization.

D.Set up an image access organization policy constraint, and list the security team managed project in the projects allow list.

E.Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.

Professional-Cloud-Security-Engineer Exam Question 25

Your team needs to obtain a unified log view of all development cloud projects in your SIEM. The development projects are under the NONPROD organization folder with the test and pre-production projects. The development projects share the ABC-BILLING billing account with the rest of the organization.
Which logging export strategy should you use to meet the requirements?

A.1. Export logs to a Cloud Pub/Sub topic with folders/NONPROD parent and includeChildren property set to True in a dedicated SIEM project.
2. Subscribe SIEM to the topic.

B.1. Create a Cloud Storage sink with billingAccounts/ABC-BILLING parent and includeChildren property set to False in a dedicated SIEM project.
2. Process Cloud Storage objects in SIEM.

C.1. Export logs in each dev project to a Cloud Pub/Sub topic in a dedicated SIEM project.
2. Subscribe SIEM to the topic.

D.1. Create a Cloud Storage sink with a publicly shared Cloud Storage bucket in each project.
2. Process Cloud Storage objects in SIEM.

Other Version: 562Google.Professional-Cloud-Security-Engineer.v2026-02-09.q123; 769Google.Professional-Cloud-Security-Engineer.v2025-12-26.q111; 1230Google.Professional-Cloud-Security-Engineer.v2024-11-26.q142; 1310Google.Professional-Cloud-Security-Engineer.v2023-03-25.q71; 1097Google.Professional-Cloud-Security-Engineer.v2023-03-10.q59; 103Google.Actualtests4sure.Professional-Cloud-Security-Engineer.v2022-05-23.by.clare.108q.pdf; 2517Google.Professional-Cloud-Security-Engineer.v2022-05-10.q108; 3010Google.Professional-Cloud-Security-Engineer.v2021-10-23.q83; 134Google.Ipassleader.Professional-Cloud-Security-Engineer.v2021-09-16.by.winston.77q.pdf

Latest Upload: 160CompTIA.220-1202.v2026-06-16.q110; 111TheInstitutes.CPCU-500.v2026-06-16.q25; 155ACAMS.CAMS7-CN.v2026-06-16.q170; 182CBIC.CIC.v2026-06-15.q123; 127Peoplecert.ITIL-4-Specialist-High-velocity-IT.v2026-06-15.q16; 220HashiCorp.Terraform-Associate-004.v2026-06-15.q126; 130Peoplecert.ITILFNDv5.v2026-06-15.q26; 128Workday.Workday-Pro-HCM-Reporting.v2026-06-15.q28; 129Fortinet.NSE5_SSE_AD-7.6.v2026-06-15.q17; 323PMI.PMI-ACP.v2026-06-15.q523

Professional-Cloud-Security-Engineer Exam Question 21

Professional-Cloud-Security-Engineer Exam Question 22

Professional-Cloud-Security-Engineer Exam Question 23

Professional-Cloud-Security-Engineer Exam Question 24

Professional-Cloud-Security-Engineer Exam Question 25

Download PDF File