Practice PCSE Managing operations in a cloud solution environment questions with full explanations on every answer.
Start practicing
Managing operations in a cloud solution environment — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security engineer needs to investigate a potential data exfiltration incident in a Google Cloud environment. The engineer has access to Cloud Logging and wants to identify any unusual outbound network traffic from Compute Engine instances. Which log sink filter should the engineer create to capture VPC flow logs for traffic destined to an external IP address not in the internal network ranges?
2A financial services company runs a sensitive application on Google Kubernetes Engine (GKE) with Workload Identity enabled. Security policy requires that only pods with a specific service account can access a Cloud Storage bucket containing customer data. The bucket has uniform bucket-level access enabled. What is the correct combination of IAM bindings to achieve this?
3A security engineer is tasked with automating the remediation of non-compliant resources in a Google Cloud organization. The organization uses Organization Policy Service to enforce constraints. The engineer needs to automatically disable a specific service (e.g., Compute Engine API) for a project that violates a policy. Which Google Cloud service should be used to trigger this remediation?
4A company is migrating to Google Cloud and wants to ensure that all service account keys are rotated automatically every 90 days. The security engineer needs to implement a solution that detects keys older than 90 days and notifies the security team. What is the most efficient way to achieve this?
5A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project uses Cloud Storage and BigQuery. The engineer wants to ensure that data cannot be exfiltrated to external IP addresses outside the perimeter, but internal users should still be able to access the data from on-premises via a VPN. Which configuration should be applied?
6A security engineer is investigating a potential data breach in a Google Cloud environment. The engineer suspects that a compromised service account key was used to access Cloud Storage buckets. Which TWO actions should the engineer take immediately to mitigate the risk?
7A security engineer is designing a solution to monitor and detect anomalous IAM role usage across multiple Google Cloud projects. The engineer wants to create a centralized logging solution that captures all IAM policy changes and access attempts. Which THREE services should the engineer use together to achieve this?
8A security engineer is reviewing a log entry in Cloud Logging with the above filter. The engineer wants to understand why this specific log entry was generated. Which action most likely caused this log entry?
9A security engineer is reviewing the IAM policy of a Cloud Storage bucket that contains sensitive data. The exhibit shows the current policy. A developer reports that they can read objects in the bucket using service account sa-2, but they cannot delete objects. What is the most likely reason?
10A company runs a critical application on Compute Engine instances in a managed instance group (MIG) behind an external TCP/UDP Network Load Balancer. The security team requires that all traffic to the instances be inspected by a third-party next-generation firewall (NGFW) that is not yet deployed. Which architecture should the security engineer implement to meet the requirement with minimal disruption to traffic?
11A security engineer is designing a VPC Service Controls perimeter to protect a project containing sensitive data stored in Cloud Storage and BigQuery. The perimeter currently allows access from an on-premises data center via private connectivity (Cloud Interconnect). The business requires that a third-party SaaS application (outside the perimeter) be able to write data into a specific Cloud Storage bucket. Which action should the engineer take?
12An organization uses Cloud Audit Logs to monitor admin activity. The security team wants to be alerted when a user creates a new IAM role at the organization level. Which type of audit log should they analyze?
13A company is migrating its on-premises Microsoft Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They need to ensure that users can authenticate to Compute Engine Windows instances using their on-premises credentials without additional user setup. What is the most secure and scalable approach?
14A security engineer is troubleshooting a connectivity issue between two VPCs connected via VPC Network Peering. VPC-A (project A) has a Compute Engine instance with internal IP 10.1.0.2. VPC-B (project B) has an instance with internal IP 10.2.0.2. The engineer has verified that the peering connection is active and the firewall rules allow ingress from 10.1.0.0/16. However, the instance in VPC-B cannot ping the instance in VPC-A. What is the most likely cause?
15A security engineer is configuring Cloud Armor to protect a global external HTTP(S) Load Balancer. Which TWO of the following are valid Cloud Armor security policies? (Choose two.)
16An organization wants to enforce data loss prevention (DLP) for sensitive data stored in Cloud Storage. Which THREE of the following Google Cloud services can be used together to inspect, classify, and automatically redact sensitive data in Cloud Storage? (Choose three.)
17Refer to the exhibit. A security engineer runs the command to view recent decrypt operations on a Cloud KMS key. The output shows a successful decryption. However, the engineer is concerned about the exposure of the plaintext. Based on the log entry, what is the most accurate statement regarding the visibility of the decrypted plaintext?
18A security engineer is troubleshooting an issue where a Compute Engine VM cannot connect to a Cloud SQL instance that has a private IP address. Both resources are in the same VPC network. The VM's firewall rules allow egress to any destination, and the Cloud SQL instance's authorized networks include the VPC network. What is the most likely cause of the connection failure?
19A company is using Cloud Armor to protect their HTTP(S) load balancer. They have configured a security policy with a rule to block traffic from a specific IP address (10.0.0.1/32). During testing, they observe that requests from that IP are still reaching the backend. What is the most likely reason?
20A financial services company runs a PCI DSS-compliant workload on Google Cloud. They use a service account with roles/container.clusterAdmin to manage a GKE cluster. The security team has enabled Binary Authorization with a policy that requires all container images to be signed by a trusted authority. Recently, a developer reported that a new deployment failed with the error: 'Image verification failed: no signature found for digest sha256:abc...'. The image is stored in Artifact Registry and the developer built it using Cloud Build with a trigger that automatically signs images using Cloud KMS. The Cloud Build service account has roles/cloudkms.signerVerifier and roles/binaryauthorization.attestorsViewer. The Binary Authorization policy is configured to require at least one attestation from the trusted attestor. What is the most likely reason for the failure?
21A large enterprise is migrating its on-premises Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They have established a VPN connection between their on-premises network and VPC. The domain controllers are fully synced, and users can authenticate from on-premises. However, applications running on Compute Engine VMs in the same VPC as Managed Microsoft AD are failing to authenticate using LDAP. The VMs are Linux-based and configured to use the Managed Microsoft AD domain for authentication via SSSD. The security team has verified that the firewall rules allow TCP/UDP 389 and 636 from the VMs to the Managed Microsoft AD IP addresses. The VMs can resolve the domain name (corp.example.com) to the correct IP of the Managed Microsoft AD domain controllers. What is the most likely cause of the authentication failure?
22A security engineer is investigating an incident where an attacker gained access to a Compute Engine instance's serial console logs, which contained sensitive data. Which TWO actions should the engineer take to prevent this type of exposure in the future? (Choose TWO.)
23Your organization has a multi-project environment with centralized logging in a dedicated project (logging-project). All VPC Service Controls perimeters are configured correctly. The security team needs to ensure that all audit logs from all projects are retained for 5 years and cannot be deleted or modified by any project administrator. They also want to restrict access to the logs to only the security team members (who have the 'Security Reviewer' role at the organization level). Currently, each project has its own log sink that exports to a BigQuery dataset in logging-project. The security team notices that some project administrators have inadvertently deleted logs from their project's BigQuery dataset. You need to recommend a solution that prevents log deletion and enforces the retention policy. What should you do?
24Drag and drop the steps to set up a Cloud VPN with a static route in the correct order.
25Drag and drop the steps to set up a binary authorization policy for a GKE cluster in the correct order.
26Match each VPC firewall rule component to its definition.
27Match each security command center tier to its capabilities.
28A security engineer is troubleshooting a VPC firewall rule that is not allowing traffic from a specific subnet to a Compute Engine instance. The target tag is set correctly. What is the most likely cause?
29A company uses Cloud Armor to protect their HTTP Load Balancer. They want to block requests from a specific IP range during a DDoS attack. What is the most efficient way to implement this?
30An organization's security policy requires that all audit logs be stored in a separate project for centralized monitoring. Which Google Cloud service should be used to aggregate logs from multiple projects?
31A security engineer notices that a service account has been granted the 'roles/editor' role on a project. According to least privilege, what is the best course of action?
32A company uses Cloud Functions and wants to ensure that only authorized services can invoke them. The functions are triggered via HTTP. What is the best way to achieve this?
33During an incident, a security engineer needs to isolate a compromised Compute Engine instance for forensic analysis without losing evidence. What should they do first?
34An organization uses Cloud VPN tunnels to connect multiple VPCs. They need to record all network metadata for compliance audits without affecting throughput. What is the most effective approach?
35During a security incident, a security engineer needs to revoke a compromised service account's access across all resources immediately. However, the service account has many roles across different projects. What is the most effective immediate step?
36A company uses Cloud Identity-Aware Proxy (IAP) to secure access to their web applications. They notice that some users are able to access the application even though they are not in the IAP access policy. What could be the cause?
37A security engineer is configuring VPC Service Controls to protect a service perimeter. Which TWO conditions must be met for a request to be allowed across the perimeter? (Choose TWO.)
38A security engineer is designing a logging and monitoring strategy to meet compliance requirements. Which THREE services should be integrated to ensure log data is tamper-proof and available for analysis? (Choose THREE.)
39A security engineer is responding to a data breach where an attacker exfiltrated data from a Cloud Storage bucket. Which TWO steps should the engineer take to contain the breach and preserve evidence? (Choose TWO.)
40An engineer notices that traffic on port 80 is not reaching instances with the tag 'http-server'. The instances have external IPs and are in the default VPC. What could be the reason?
41A security engineer is reviewing an IAM policy for a Cloud Storage bucket. The engineer wants to ensure that the service account 'sa@project.iam.gserviceaccount.com' can only read objects. What is the current effective permission?
42During an incident, a security engineer finds this audit log entry. What action was taken and by whom?
43A company has a VPC with several subnets. They want to restrict traffic between instances in the same subnet using firewall rules while allowing traffic from a specific load balancer health check range. What is the best approach?
44A security administrator needs to audit all changes to IAM policies across the organization. They want to detect when a policy binding is added that grants a sensitive role to a user outside the organization. What is the most efficient method?
45A developer accidentally deleted a Cloud SQL instance. The organization has automated backups enabled. How can the DBA restore the instance?
46A company uses Cloud Armor to protect their HTTP(S) load balancer. They want to block requests from a specific geographic region. Which TWO actions should they take? (Choose 2)
47An organization wants to ensure that all service accounts used by Compute Engine instances have the minimal permissions required. Which TWO practices should be implemented? (Choose 2)
48Your organization uses Cloud Key Management Service (KMS) to encrypt data at rest. You need to rotate keys automatically every 90 days. Which THREE steps are required? (Choose 3)
49Refer to the exhibit. A VM in the default network with internal IP 10.128.0.5 is unable to reach a VM at 10.0.0.4 over TCP port 22. What is the most likely cause?
50Refer to the exhibit. This IAM policy is applied to a Google Cloud Storage bucket. Alice reports she cannot delete objects in the bucket. Bob can delete objects. What is the most likely reason?
51Refer to the exhibit. A user tries to create a Compute Engine instance using a custom image from another project. What is the most likely cause of the error?
52Which service provides a centralized view of all resource configurations and IAM policies across projects?
53A security engineer needs to ensure that all compute instances are patched with the latest security updates. What is the recommended approach?
54An organization uses Cloud NAT to allow private instances to access the internet. They notice that some connections are failing intermittently. What is a common cause?
55A junior developer created a service account with the roles/storage.admin role and downloaded a JSON key. What is the best practice to improve security?
56A company has a multi-project setup with a shared VPC. They want to centrally audit all firewall rule changes. What is the most efficient way?
57A security analyst wants to detect when a user creates a Compute Engine instance with a public IP address in a sensitive project. What is the best method?
58A company is using Cloud Monitoring to track latency of a microservice. They notice a sudden spike in the 99th percentile latency but no change in request count. What is the most likely cause?
59A security engineer wants to ensure that all API calls to Google Cloud services are logged for audit purposes. Which service should they enable?
60Your organization uses Cloud Armor to protect against web attacks. After a change to the security policy, legitimate traffic from certain IPs is being blocked. You need to quickly allow that traffic while preserving the security policy. What should you do?
61Your Cloud SQL PostgreSQL instance is experiencing high replication lag between primary and read replica. You have verified the network and instance metrics. What is a likely cause?
62A DevOps team wants to automatically scale a managed instance group based on CPU utilization. Which metric should they use in the autoscaler?
63A security operations team is using Cloud Audit Logs to investigate a suspicious data export from a Cloud Storage bucket. They need to see which user accessed a specific object and when. Which log type should they examine?
64Your organization uses Cloud CDN to distribute static content. Recently, users in a specific geographic region are experiencing high latency. What is the most likely cause?
65A Cloud Function is timing out. What is the maximum timeout for a Cloud Function (1st gen)?
66A company is using Cloud Composer (Airflow) to orchestrate data pipelines. A DAG is failing with a 'Task received SIGTERM' error. What is the most likely cause?
67Which TWO actions should you take to reduce the attack surface of a Compute Engine VM? (Choose 2.)
68Which TWO techniques can be used to secure a Cloud Storage bucket containing sensitive data? (Choose 2.)
69Which THREE components are customer responsibilities under the Google Cloud Shared Responsibility Model for IaaS? (Choose 3.)
70A company is experiencing high latency on their HTTPS Load Balancer. Which action is most likely to resolve the issue?
71A company needs to isolate development and production workloads within the same Google Cloud organization. Each environment must have its own VPC network, but they must share a common set of network security policies. Which design meets these requirements?
72A security team needs to centrally manage secrets for multiple Google Cloud projects. Which solution should they use?
73Users are reporting 502 Bad Gateway errors when accessing an application behind an external HTTPS Load Balancer. What is the most likely cause?
74A global company must store customer data in a specific geographic region to comply with data residency regulations. The database needs strong transactional consistency and low-latency reads worldwide. Which database solution should they choose?
75A company runs a batch processing workload on Compute Engine VMs for 6 months. They want to reduce costs without sacrificing performance. Which option should they implement?
76A Cloud Function that processes financial data is timing out after 60 seconds. The function performs complex calculations and cannot be decomposed further. What is the best solution?
77A company requires a secure, dedicated connection between their on-premises data center and Google Cloud with bandwidth of 10 Gbps and a 99.99% SLA. Which connectivity option should they use?
78A DevOps team wants to centralize logging and monitoring for a GKE cluster that runs hundreds of microservices. They need to view logs, metrics, and traces in a single dashboard. Which approach should they use?
79Which TWO Google Cloud services are serverless compute platforms that let you run code without managing servers?
80Which THREE steps are most effective for troubleshooting a VPC firewall rule issue where desired traffic is being blocked?
81Which TWO are benefits of using Cloud Armor with a global external HTTPS Load Balancer?
82Refer to the exhibit. A developer working from a workstation with IP 203.0.113.5 cannot SSH to a VM in the my-vpc network. Which firewall rule is most likely blocking the connection?
83Refer to the exhibit. A user jane@example.com receives a 403 Access Denied error when trying to list objects in a Cloud Storage bucket. What is the most likely cause?
84Refer to the exhibit. A Cloud Run service fails to start and shows the above error. What is the most likely cause?
85A company uses Cloud Monitoring to track latency on their Compute Engine instances. They notice a spike in latency every day at 2:00 PM. The operations team wants to automate the creation of a support ticket when this spike occurs. What should they do?
86A security administrator needs to ensure that all service account keys older than 90 days are automatically disabled to reduce the risk of key compromise. Which Google Cloud service should be used to implement this policy?
87A company wants to monitor for suspicious login attempts across all their Google Cloud projects. They want to send a real-time Slack notification when a login fails from an IP address outside their corporate CIDR range. What is the most efficient way to achieve this?
88An organization has hundreds of Google Cloud projects and wants to enforce a uniform firewall rule that blocks outbound traffic to known malicious IP addresses. They want to centrally manage this rule without manually applying it to each VPC. What should they do?
89A security engineer receives an alert from Cloud Security Command Center (Cloud SCC) about a resource that is publicly accessible. The engineer identifies that the resource is a Cloud Storage bucket containing sensitive data. After making the bucket private, what is the next best step to prevent recurrence?
90A company uses Cloud SQL for PostgreSQL and needs to ensure that database backups are retained for 30 days for compliance. They also want to be able to perform point-in-time recovery for the last 24 hours. What configuration should they use?
91A large enterprise has a security command center that uses SIEM to analyze logs. They are migrating to Google Cloud and want to export all Cloud Audit Logs (Admin Activity, Data Access, and System Events) from all projects into a centralized BigQuery dataset for analysis. They also need to ensure logs are available within 5 minutes of being generated. Which sink configuration should they use?
92A company uses a multi-region Cloud Storage bucket for disaster recovery of critical data. They want to prevent accidental deletion of objects by requiring that objects be retained for at least 7 days after creation, and any attempt to delete or overwrite an object during that period must fail. Which configuration meets these requirements?
93During a security incident, the forensic team needs to capture the memory and disk state of a compromised Compute Engine VM without shutting it down. The VM is running a critical application and cannot be stopped. What is the best approach to gather forensic data?
94Which TWO of the following are valid methods to automate responses to Cloud Security Command Center findings?
95Which THREE of the following are recommended practices for managing secrets in Google Cloud?
96Which TWO of the following are true regarding Cloud Audit Logs?
97A small startup recently moved their infrastructure to Google Cloud. They have a single project with a few Compute Engine instances running a web application. The security team wants to ensure that all SSH access to the instances is audited and that any failed SSH attempts are alerted in real time. They have enabled OS Login and are using Cloud Identity-Aware Proxy (IAP) for SSH access. However, they are not sure how to capture the audit logs for SSH sessions. What should they do?
98A multinational corporation operates multiple Google Cloud projects across several folders. They have a security requirement to enforce that all Cloud Storage buckets are created with uniform bucket-level access enabled and that no bucket has public access. They want to automatically remediate any non-compliant bucket that violates these policies. Currently, they use Organization Policies to enforce uniform bucket-level access, but they still find some buckets with public access due to exceptions. They have Cloud Security Command Center (Cloud SCC) enabled and receive findings about public buckets. The operations team wants to build a solution that automatically disables public access on non-compliant buckets. Which approach should they take?
99A large financial institution runs a critical application on Google Kubernetes Engine (GKE) clusters. Their security policy requires that all container images must be scanned for vulnerabilities and must come from a trusted artifact registry. They use Cloud Build to automatically build images from a CI/CD pipeline and push them to Artifact Registry. They want to enforce that only images that have passed vulnerability scanning and are signed can be deployed to the GKE cluster. Currently, they have set up Cloud Build to automatically tag images with a 'latest' tag on successful build, but they need a mechanism to prevent deployment of unsigned or vulnerable images. They also want to audit any attempts to deploy non-compliant images. What should they do?
100A company is using Cloud SQL for MySQL in production. They notice that during peak hours, query latency increases significantly. The database is running on a db-n1-standard-2 instance with 100GB SSD. The CPU utilization spikes to 95% during peaks. The application uses connection pooling. Which action should the company take to improve performance while minimizing cost?
101A company is implementing a zero-trust network architecture on Google Cloud. They want to ensure that all traffic between their on-premises data center and Google Cloud is encrypted and authenticated. Additionally, they need to support high availability across multiple regions. Which two Google Cloud services should they use? (Choose two.)
102A company uses Cloud Storage buckets to store customer uploads. Recently, a customer reported that a file they uploaded yesterday is missing. The bucket has object versioning enabled. The security team wants to investigate how the file went missing and whether any other files have been affected. The company's compliance requirements mandate that all object deletions must be logged and reviewed. What should the admin do first to investigate the missing file?
103A startup is deploying a containerized application on Google Kubernetes Engine (GKE). The application is stateless and experiences variable traffic patterns, with periodic spikes during promotional events. The startup wants to minimize costs while ensuring the application can handle the variable load without performance degradation. They also prefer to automate scaling as much as possible. Which GKE configuration should they choose?
104A company runs a multi-tier application on Compute Engine behind an external HTTP(S) Load Balancer. The backend consists of a managed instance group for the application tier and a Cloud Storage bucket for static assets. During peak traffic, some users receive HTTP 503 errors. The backend instances are healthy and the load balancer shows no connection errors. The company has already enabled Cloud CDN for the backend bucket. What should they do to resolve the 503 errors?
105A financial firm uses Cloud Deployment Manager to manage their Google Cloud infrastructure. They have a strict change management policy requiring that all infrastructure changes in the production environment must be reviewed and approved by a senior engineer before being applied. Currently, developers can modify the Deployment Manager configurations directly, leading to unapproved changes. The company wants to enforce this policy without impacting development agility. What should they implement?
106A large enterprise runs a streaming data pipeline using Dataflow to process events from Pub/Sub, apply aggregations with fixed windows, and write results to BigQuery. They are experiencing high costs and long processing times. The Dataflow job uses Streaming Engine, but the workers show high CPU utilization. The pipeline has autoscaling enabled, but the number of workers rarely increases. The team wants to reduce processing time and cost. What should they do?
107A company is using Cloud Run for a containerized application. They notice increased latency during peak hours. The operations team wants to identify the root cause. Which two steps should they take?
108Refer to the exhibit. An operations engineer configured this alert policy to notify when any VM instance in project my-project has high CPU utilization. However, no notifications are received even when CPU is consistently above 90% on multiple instances in us-central1-a. What is the most likely cause?
109Your company runs a production application on Google Kubernetes Engine (GKE) with a Regional cluster. The application uses a custom domain with TLS certificates that are stored as Kubernetes secrets and mounted into the ingress. The certificates expire every 90 days and are currently renewed manually by a DevOps engineer. Last week, the certificate expired, causing an outage until it was renewed. Management requires an automated solution to renew certificates before expiration. The team wants to minimize changes to the existing architecture and avoid additional costs. What should you do?
The Managing operations in a cloud solution environment domain covers the key concepts tested in this area of the PCSE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCSE domains — no account required.
The Courseiva PCSE question bank contains 109 questions in the Managing operations in a cloud solution environment domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Managing operations in a cloud solution environment domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included