Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCSEDomainsConfiguring Access Within a Cloud Solution Environment
PCSEFree — No Signup

Configuring Access Within a Cloud Solution Environment

Practice PCSE Configuring Access Within a Cloud Solution Environment questions with full explanations on every answer.

135questions

Start practicing

Configuring Access Within a Cloud Solution Environment — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCSE Domains

Configuring Access Within a Cloud Solution EnvironmentEnsuring Data ProtectionManaging Operations in a Cloud Solution EnvironmentConfiguring Network SecuritySupporting Compliance Requirements

Practice Configuring Access Within a Cloud Solution Environment questions

10Q20Q30Q50Q

All PCSE Configuring Access Within a Cloud Solution Environment questions (135)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security engineer needs to prevent users from creating service account keys in a Google Cloud project. The solution must be enforceable across all projects in the organization and should not block other IAM operations. Which approach should they use?

2

An organization uses Active Directory (AD) on-premises and wants to synchronize user accounts and groups to Google Cloud Identity for SSO with SAML 2.0. The AD contains 50,000 users and 10,000 groups. The solution must support automatic provisioning and deprovisioning of users. Which tool should they use?

3

A developer wants to grant a Compute Engine instance access to read objects from a Cloud Storage bucket. The instance runs under a service account. What is the best practice for granting this access?

4

A company has multiple Google Cloud projects organized under folders by department. The security team wants to enforce a policy that all Compute Engine instances must use Shielded VM features. They need to prevent non-compliant instances from being created. Which action should be taken to enforce this requirement most effectively?

5

What is the purpose of Identity-Aware Proxy (IAP) on Google Cloud?

6

A DevOps team uses GitHub Actions to deploy infrastructure to Google Cloud. They want to avoid storing long-lived service account keys. Which approach should they use to authenticate from GitHub Actions to Google Cloud?

7

An organization has set up IAP to protect a web application running on Compute Engine. The application needs to know the authenticated user's email address for logging. How can the application securely obtain this information?

8

A security engineer wants to ensure that only users from a specific external identity provider (IdP) domain (example.com) can access Google Cloud resources. They have configured SAML SSO with the IdP. However, users from other domains are also able to access resources. What is the most effective way to restrict access to only users from example.com?

9

A company wants to use Google Cloud resources but does not have a Google Workspace or Cloud Identity account. They want to manage identities for their users without paying for additional licenses. What is the most cost-effective identity solution?

10

A developer needs to create a custom IAM role that allows only a specific set of permissions for managing Cloud SQL instances. The role should be available at the organization level. Which command should they use?

11

A company has a GKE cluster with a Kubernetes Service Account (KSA) that needs to access Cloud Storage. They want to bind the KSA to a Google Cloud service account (GCP SA) so that pods running under the KSA inherit the GCP SA's permissions. They have enabled Workload Identity on the cluster. What is the correct step to bind the KSA to the GCP SA?

12

A security administrator wants to prevent users from disabling Shielded VM on existing Compute Engine instances. Which IAM permission should they deny?

13

A company uses Google Cloud Directory Sync (GCDS) to synchronize users from an on-premises Active Directory to Cloud Identity. The security team wants to ensure that only synchronized users can access Google Cloud resources. Which TWO actions are part of a secure configuration? (Choose two.)

14

A financial services company is migrating to Google Cloud and needs to enforce strict security controls. They want to ensure that: 1) No service account keys are created. 2) All Compute Engine instances must be created with Shielded VM enabled. 3) Only users from the corporate domain (example.com) can be granted IAM roles. Which THREE Organization Policy constraints must be used? (Choose three.)

15

A cloud architect is designing a multi-project environment in Google Cloud. They want to ensure that a specific folder-level IAM policy cannot be overridden by project-level policies. Which TWO statements about IAM policy inheritance and deny policies are correct? (Choose two.)

16

A security engineer wants to ensure that all Compute Engine VMs in an organization use Shielded VM features. The organization uses Cloud Identity as the identity provider. What is the most efficient way to enforce this requirement?

17

A development team needs to grant a third-party auditor read-only access to a specific project's resources but must not allow the auditor to view any data stored in Cloud Storage buckets. Which IAM approach should be used?

18

An organization uses Google Workspace for email and collaboration. They want to allow employees to sign in to a custom web application using their Google Workspace credentials. The application runs on Compute Engine and uses a PostgreSQL database. Which identity solution should they implement?

19

A company runs a batch job on Compute Engine that processes sensitive data. The job uses a service account with a JSON key file stored on the VM. A security audit recommends removing long-lived keys. The job must run unattended. What is the best alternative?

20

A company wants to allow an external auditor to view all IAM policies in a project but not modify them. The auditor's Google account is from a different domain. Which IAM role should be assigned?

21

Which of the following is a key advantage of using Workload Identity Federation over service account keys for authenticating workloads running on AWS?

22

A DevOps engineer needs to create a custom IAM role that allows creating and deleting Compute Engine instances but not stopping or starting them. Which permissions should be included?

23

An organization has multiple GCP projects under a folder. They want to prevent all users from creating service account keys in any project under that folder. They also want to allow exceptions for a specific project where key creation is needed. Which approach should they take?

24

Which of the following is true about IAM deny policies?

25

A company uses Cloud Identity to manage users and groups. They want to synchronize users from their on-premises Active Directory to Cloud Identity. Which tool should they use?

26

A GKE cluster runs workloads that need to access Cloud Storage. The security team wants to avoid using service account keys and ensure each pod has a unique identity. What is the best practice?

27

An organization wants to allow users to access a web application running on Compute Engine via HTTPS. The application requires users to authenticate with their corporate credentials (SAML 2.0 IdP). Which Google Cloud service should be used?

28

A company wants to enforce that only users from a specific domain (example.com) can be granted IAM roles on any resource in their organization. Which two steps are required? (Choose two.)

29

A security engineer needs to ensure that all Compute Engine instances in an organization are created with specific CMEK (Customer-Managed Encryption Key) for disk encryption. The engineer wants to enforce this at the organization level. Which three actions are required? (Choose three.)

30

A developer wants to allow a CI/CD pipeline running on GitHub Actions to deploy resources to a GCP project without using service account keys. Which two components are needed? (Choose two.)

31

A security engineer is configuring access for a new team member who needs to manage Cloud Storage buckets, but should not be able to delete or modify existing objects. Which IAM role should be assigned?

32

An organization uses Cloud Identity with a third-party IdP via SAML 2.0. A security engineer needs to enforce that all Google Cloud access requires multi-factor authentication (MFA) from the IdP. What is the recommended approach?

33

A company has multiple projects under an organization node. A security engineer needs to deny all principals in the organization from creating service account keys, except for a specific project where it must be allowed. Which approach should be used?

34

A developer wants to run a containerized application on GKE that needs to read from a Cloud Storage bucket. The developer needs to securely provide credentials. What is the recommended approach?

35

An organization needs to grant a contractor access to a specific project for 30 days, with the ability to start and stop Compute Engine instances but not delete them. Which IAM role should be used?

36

A company uses SAML 2.0 federation with an external IdP. Users are synced from Active Directory to Cloud Identity using Google Cloud Directory Sync (GCDS). The security engineer needs to ensure that only users from a specific Active Directory group can access Google Cloud resources. What should be configured?

37

A security engineer needs to grant a DevOps team the ability to deploy and manage Cloud Run services, but they should not be able to modify IAM policies or delete the service. Which predefined role should be assigned?

38

An application running on Compute Engine needs to authenticate to Google Cloud APIs. The security engineer wants to avoid managing keys. What is the recommended method?

39

A company needs to allow developers to create and manage custom IAM roles at the project level, but restrict the permissions that can be added to those roles to a predefined list. What should be used?

40

A security engineer needs to configure Identity-Aware Proxy (IAP) for a web application running on Compute Engine. The goal is to ensure that only authenticated users from the corporate domain can access the application. What is the first step in the configuration?

41

A security engineer is configuring access for a service account used by a batch job that runs on Compute Engine. The job needs to read from a BigQuery dataset and write results to Cloud Storage. What is the recommended way to grant these permissions?

42

An organization wants to enforce that all new projects automatically have a specific set of IAM roles assigned to a security group. What is the best way to achieve this?

43

A security engineer is designing access control for a multi-project environment. The engineer needs to ensure that a data science team can read data from a BigQuery dataset in Project A and write results to a Cloud Storage bucket in Project B. The team members are authenticated via an external SAML IdP. Which TWO steps should be taken? (Choose 2 correct answers)

44

A company is using GKE with Workload Identity to allow pods to access Google Cloud services. A security engineer needs to restrict a specific pod to only read from a single Cloud Storage bucket. Which THREE steps should be taken? (Choose 3 correct answers)

45

A security engineer needs to ensure that no one in the organization can disable or delete Cloud Key Management Service (Cloud KMS) keys, except for a designated security team. Which TWO approaches should be combined? (Choose 2 correct answers)

46

A security engineer wants to ensure that no IAM keys are created for service accounts in a Google Cloud organization. Which organization policy constraint should be applied?

47

An organization uses Azure Active Directory as its identity provider. They want to allow employees to access Google Cloud resources using their Azure credentials without provisioning Google Cloud user accounts. Which solution should they implement?

48

A developer needs to deploy an application on Compute Engine that reads from a Cloud Storage bucket. The engineer wants to avoid managing service account keys. What is the recommended approach to grant the necessary permissions?

49

A company has a Google Cloud organization with multiple folders representing departments. The security team wants to enforce that all Compute Engine VMs in the organization must have Shielded VM enabled. Which approach should the team use to enforce this requirement?

50

A DevOps engineer wants to allow a CI/CD pipeline running in GitHub Actions to deploy resources to a Google Cloud project without using long-lived service account keys. What should the engineer implement?

51

Which IAM role should be assigned to a user who needs to manage, but not create or delete, Cloud Storage buckets and objects in a specific project?

52

An organization uses Cloud Identity with Google Workspace. They want to grant a group of external auditors read-only access to a specific folder in Google Cloud. The auditors have accounts in the organization's Cloud Identity domain. What is the most efficient way to grant this access?

53

A company has a Kubernetes cluster on GKE that runs a microservice. The microservice needs to read from a Cloud Spanner database. The security team requires that the microservice uses the principle of least privilege and that credentials are never stored as Kubernetes secrets. What is the recommended configuration?

54

A company wants to allow users to access an internal web application running on Compute Engine behind a load balancer without requiring a VPN. The solution must authenticate users and enforce access based on user identity and context (e.g., device security). Which Google Cloud service should they use?

55

A project manager needs to create custom IAM roles for a project. At which levels in the resource hierarchy can custom roles be defined?

56

A company has an organization policy that denies the use of certain GCP services unless the project is in a specific folder. The DevOps team wants to create a new project in that folder. However, the project creation fails. What is the most likely cause?

57

A security engineer notices that a service account has been assigned the roles/iam.serviceAccountUser role at the project level. What actions can a user with this role perform?

58

A company has multiple Google Cloud projects under an organization. They want to ensure that only service accounts from their own Cloud Identity domain (example.com) can be used in IAM policies. Which TWO steps should they take? (Choose 2)

59

An organization has a requirement that all service account keys must be rotated every 90 days. The security engineer wants to automate the detection of keys older than 90 days. Which TWO methods can achieve this? (Choose 2)

60

A company wants to implement single sign-on (SSO) for its employees to access the Google Cloud Console using their existing corporate credentials from an on-premises Active Directory. Which THREE components are required? (Choose 3)

61

An organization has multiple GCP projects managed through folders in the resource hierarchy. They want to enforce a policy that prohibits the creation of service account keys across all projects. Which approach should be used?

62

A security engineer needs to grant a team the ability to impersonate a service account (SA) in project B from a Compute Engine instance in project A. The SA in project B has the required permissions to access Cloud Storage. What IAM configuration is required?

63

A company uses Active Directory (AD) on-premises and wants to synchronize user accounts to Google Cloud Identity for SSO with SAML 2.0. They require automatic user provisioning and de-provisioning. Which Google Cloud tool should they use?

64

A developer is running a batch job on Compute Engine that needs to read data from Cloud Storage. What is the recommended way to authenticate the VM to Cloud Storage without managing keys?

65

An organization wants to allow an external identity provider (IdP) that supports OpenID Connect (OIDC) to access GCP resources. They want to avoid creating and managing service account keys. What should they use?

66

A Google Kubernetes Engine (GKE) cluster has applications that need to access Cloud Storage. The security team wants to grant fine-grained access per pod. What is the recommended approach?

67

An organization uses Cloud Identity to manage users and groups. They want to enforce that only users from their corporate domain (example.com) can be granted IAM roles on GCP resources. Which organization policy constraint should they use?

68

What is the purpose of Identity-Aware Proxy (IAP) in Google Cloud?

69

An engineer needs to grant a group of external auditors read-only access to all resources in a specific project. The auditors authenticate via an external SAML 2.0 IdP. What is the most secure and efficient way to set this up?

70

A company wants to allow an application running on an on-premises server to access Cloud Storage without using long-lived service account keys. The on-premises environment uses Azure Active Directory (Azure AD) as its identity provider. Which GCP feature should they use?

71

Which IAM role type is recommended for granting fine-grained permissions to Google Cloud services in production?

72

An organization has a folder-level organization policy that enforces 'constraints/compute.requireShieldedVm'. A development team wants to create a test VM that does not use Shielded VM features. What is the correct approach?

73

A company uses Active Directory (AD) on-premises and wants to implement SSO for Google Cloud Console access. They want to maintain user lifecycle management (create/disable accounts) from AD. Which TWO components are required?

74

A security administrator needs to deploy a solution that allows a group of developers to access a web application running on Compute Engine behind an internal HTTP load balancer. The solution must enforce access based on user identity and device security status, and must not expose the application to the public internet. Which THREE components are required?

75

A company wants to enforce that no service account keys are created for service accounts in a specific project. Additionally, they want to allow only users from their corporate domain (example.com) to be granted IAM roles. Which TWO organization policy constraints should they apply at the project level?

76

An organization wants to grant a team of data analysts the ability to run BigQuery queries and create datasets, but prevent them from deleting datasets or modifying IAM policies. Which predefined IAM role should be assigned?

77

A company has multiple GCP projects managed under a single organization node. They want to enforce that all Compute Engine VMs are created with Shielded VM features enabled. Which approach should they use?

78

A security team needs to allow a third-party application running on AWS to access a Cloud Storage bucket without using service account keys. The application already uses AWS IAM roles. Which Google Cloud feature should they use?

79

A developer is troubleshooting a Cloud Run service that needs to read from a Cloud Storage bucket. The service runs as the compute engine default service account. The service account has been granted the Storage Object Viewer role at the project level, but the service still gets permission denied errors. What is the most likely cause?

80

An organization wants to allow users to authenticate to Google Cloud using their existing Active Directory credentials via SAML 2.0. Which Google Cloud identity service should they configure?

81

A company has a security policy that service account keys should not be created. They want to prevent anyone from creating keys for any service account in the organization. Which organization policy constraint should they use?

82

A GKE cluster has Workload Identity enabled. A Kubernetes service account is bound to a GCP service account named 'sa-gcs'. A pod using the Kubernetes service account fails to list objects in a Cloud Storage bucket. The GCP service account has the Storage Object Viewer role. What is the most likely cause?

83

An administrator needs to grant a network team the ability to create and manage firewall rules, but not delete VPC networks. Which IAM role should be assigned?

84

A company wants to grant a group of external auditors read-only access to all resources in a GCP project. The auditors authenticate via a SAML 2.0 identity provider. What is the most secure way to grant access?

85

An organization has a deny policy that denies the compute.instances.create permission for all principals on a folder. A user is granted the Compute Admin role (which includes compute.instances.create) at the project level within that folder. Can the user create Compute Engine instances in that project?

86

A company wants to allow their employees to access an internal web application running on Compute Engine using Identity-Aware Proxy (IAP). They want to ensure that only users from their corporate domain (example.com) can access the app. What is the recommended approach?

87

A developer wants to grant a service account the ability to impersonate another service account in a different project. Which IAM permission is required for the developer to assign?

88

A company wants to enforce that all Compute Engine instances are created with a specific set of tags for compliance. They also want to audit any changes to firewall rules. Which two Google Cloud services or features should they use? (Choose TWO.)

89

A security administrator needs to grant a team of developers the ability to deploy applications to a GKE cluster, but only to specific namespaces. The developers should not be able to modify cluster-level resources or IAM policies. Which three steps should the administrator take? (Choose THREE.)

90

A company wants to implement a zero-trust access model for SSH access to Compute Engine instances. They need to ensure that only authorized users can connect and that all connections are logged. Which two services should they use? (Choose TWO.)

91

An organization wants to grant a DevOps team the ability to create and manage service accounts in a specific project, but prevent them from deleting existing service accounts or managing IAM policies. Which IAM role should be assigned to the team?

92

A security engineer needs to prevent creation of long-lived service account keys across all projects in an organization. The solution should also block any existing keys older than 90 days. Which approach meets these requirements?

93

A developer needs to deploy a web application on Compute Engine that must access Cloud Storage buckets. The best practice for providing credentials to the VM is to:

94

A company uses Google Workspace and wants to allow users to authenticate to a third-party SaaS application using their Google credentials. The SaaS application supports SAML 2.0. What should the administrator configure?

95

An organization has a deny policy at the folder level that denies the permission resourcemanager.projects.create. A user has an allow policy at the project level granting roles/owner. What is the effective permission for the user to create projects in that project?

96

Which of the following is a benefit of using organization policies over IAM policies for enforcing restrictions on resources?

97

A company wants to provide their employees access to a web application running on Compute Engine without exposing the VM to the public internet. The application uses a custom header to verify the user's identity. Which service should they use?

98

An administrator needs to restrict which external identities can be used to access Google Cloud resources. The organization uses SAML federation with an external identity provider. Which organization policy constraint should be used?

99

An organization wants to grant a CI/CD pipeline (running on GitHub Actions) access to deploy resources in a GCP project without storing long-lived service account keys. Which approach is recommended?

100

In the Google Cloud IAM resource hierarchy, which level supports the most granular policy attachment?

101

A security team wants to enforce that all Compute Engine instances in the organization use Shielded VM features (Secure Boot, vTPM, Integrity Monitoring). What should they configure?

102

A user in a Google Cloud organization wants to create a custom IAM role at the project level. Which permission is required to create custom roles?

103

A company wants to allow their on-premises Active Directory users to access Google Cloud resources using their existing credentials. They need to synchronize user accounts and groups to Google Cloud Directory and enable federated authentication. Which TWO services should they use?

104

A security engineer needs to ensure that service account keys are not used in production workloads. They want to enforce this across the entire organization. Which TWO controls should they implement?

105

A company wants to deploy a containerized application on GKE that needs to access Cloud SQL. They want to avoid storing database credentials in the application. Which THREE components should they use?

106

A security engineer needs to ensure that a specific Compute Engine instance can only be accessed via HTTPS from users authenticated through Cloud Identity. The instance is behind an HTTP(S) load balancer. What should the engineer configure on the load balancer to enforce this access control?

107

Your organization wants to assign a set of permissions to a group of users that allows them to create and delete Compute Engine instances, but not to modify other resources like Cloud Storage buckets. Which type of IAM role should you create?

108

An organization has a Google Cloud organization node with multiple folders for different departments. A deny policy is set at the organization level to block the use of shielded VM constraints. Later, an allow policy at the folder level grants the compute.instances.create permission. A user in that folder tries to create a new VM without shielded VM enabled. What will happen?

109

A company wants to allow an application running in an on-premises data center to access Google Cloud Storage buckets without storing long-lived service account keys. The on-premises application authenticates using an external identity provider (IdP) that supports OpenID Connect (OIDC). Which Google Cloud feature should they use?

110

You need to grant a security auditor read-only access to all resources in a project, but they must not be able to view data within resources (e.g., table contents). Which predefined IAM role should you grant?

111

A DevOps engineer needs to allow a CI/CD pipeline running in Google Kubernetes Engine (GKE) to push images to a specific Artifact Registry repository. The pipeline uses a Kubernetes service account. What is the best practice to grant this access without creating a JSON key for a Google service account?

112

Your organization uses Cloud Identity with SAML 2.0 federation from an external identity provider (IdP). You need to ensure that only users from a specific group in the IdP can access a critical application behind an HTTPS load balancer. Which combination of steps is required?

113

A company has an organization policy that disables service account key creation (constraints/iam.disableServiceAccountKeyCreation). However, a legacy application requires a service account key to authenticate. What should the engineer do to satisfy this requirement while following best practices?

114

Which of the following is the correct order of the Google Cloud resource hierarchy from highest to lowest?

115

An organization uses Cloud Directory Sync to synchronize users from on-premises Active Directory to Cloud Identity. After syncing, a user reports they cannot access a Google Cloud project even though they are a member of the correct AD group. The group has been assigned the roles/compute.admin role on the project. What is the most likely cause?

116

An engineer is configuring Cloud Armor for an HTTP(S) load balancer and needs to allow traffic only from users who have been authenticated by Identity-Aware Proxy (IAP). The backend service already has IAP enabled. What additional configuration is needed to ensure that only authenticated requests reach the backend?

117

A company wants to enforce that all new projects have a specific set of tags to track cost centers. Which Google Cloud feature should they use?

118

A security engineer needs to allow a group of external auditors to view all resources in a project but not modify anything. They must also prevent the auditors from viewing sensitive data in BigQuery datasets. Which TWO IAM bindings should the engineer configure? (Choose two.)

119

A company runs a batch job on Compute Engine that reads data from Cloud Storage and writes results to BigQuery. The Compute Engine instance uses a service account. The job fails with a permission error. Which THREE steps should the engineer take to resolve this? (Choose three.)

120

An organization uses Cloud Identity with SAML 2.0 federation. They want to enable single sign-on (SSO) for users accessing Google Cloud Console and also allow access to a custom application behind an HTTPS load balancer using IAP. Which TWO configurations are required? (Choose two.)

121

Your organization has an IAM policy at the folder level that grants a user the Compute Admin role. A deny policy at the project level denies the same user the compute.instances.create permission. What is the effective access for this user on the project?

122

A security engineer needs to enforce that all Compute Engine VMs in an organization use Shielded VM features. Which approach should they use?

123

A company uses Google Cloud Directory Sync to synchronize users from an on-premises Active Directory to Cloud Identity. They want to allow federated access from their external identity provider (IdP) that supports SAML 2.0. The IdP should be able to authenticate users from a specific AD domain. What configuration steps are required?

124

A DevOps team wants to grant a CI/CD pipeline (running on a Compute Engine VM) the ability to restart Compute Engine instances in a specific project. The VM has a service account attached. What is the best practice to grant this permission?

125

An organization wants to use a third-party identity provider (IdP) that supports OpenID Connect (OIDC) to manage access to Google Cloud resources. They want users to authenticate with the external IdP and access GCP via the Cloud Console and gcloud CLI. Which feature should they use?

126

A company is migrating to Google Cloud and wants to implement least privilege access for their engineers. They have the following requirements: 1) Engineers must be able to create and manage Cloud Storage buckets. 2) Engineers must NOT be able to delete any resources. 3) Engineers should not be granted basic roles. Which two predefined roles should they combine to meet these requirements? (Choose two.)

127

A security team wants to restrict service account key creation in their organization to prevent key-based authentication. They have set the organization policy constraint constraints/iam.disableServiceAccountKeyCreation to True. However, they need to allow a specific project to continue creating keys for legacy applications. Which two steps are required? (Choose two.)

128

A company wants to implement workload identity federation for a GitHub Actions workflow, allowing it to access Google Cloud resources without using service account keys. Which three steps are required? (Choose three.)

129

An organization wants to use Identity-Aware Proxy (IAP) to secure access to a web application running on Compute Engine. They need to ensure that only users with specific email domains can access the application, and also verify that requests are coming from IAP. Which two configurations are required? (Choose two.)

130

A developer wants to grant a Kubernetes service account in GKE the ability to read objects from a specific Cloud Storage bucket. Which two resources need to be bound together? (Choose two.)

131

A company uses Cloud Identity with SAML 2.0 federation from an external IdP. They want to enforce that users must be members of a specific group in the IdP to access GCP resources. Which two configurations are necessary? (Choose two.)

132

A security architect is designing an IAM hierarchy for a large organization. The requirements are: 1) Development projects should inherit a policy that allows Compute Engine access. 2) Production projects should not have Compute Engine access. 3) Audit team must be able to read all resources across all projects. Which three IAM policy placements are correct? (Choose three.)

133

A company wants to use Google Cloud Directory Sync (GCDS) to synchronize users and groups from an on-premises Active Directory to Cloud Identity. Which two prerequisites must be met? (Choose two.)

134

A company needs to grant developers the ability to deploy applications to App Engine, but they should not be able to modify IAM policies. Which two roles should be assigned to the developers? (Choose two.)

135

An organization wants to restrict the creation of service accounts to only certain projects. Which two approaches can achieve this? (Choose two.)

Practice all 135 Configuring Access Within a Cloud Solution Environment questions

Other PCSE exam domains

Ensuring Data ProtectionManaging Operations in a Cloud Solution EnvironmentConfiguring Network SecuritySupporting Compliance Requirements

Frequently asked questions

What does the Configuring Access Within a Cloud Solution Environment domain cover on the PCSE exam?

The Configuring Access Within a Cloud Solution Environment domain covers the key concepts tested in this area of the PCSE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCSE domains — no account required.

How many Configuring Access Within a Cloud Solution Environment questions are in the PCSE question bank?

The Courseiva PCSE question bank contains 135 questions in the Configuring Access Within a Cloud Solution Environment domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Configuring Access Within a Cloud Solution Environment for PCSE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Configuring Access Within a Cloud Solution Environment questions for PCSE?

Yes — the session launcher on this page draws questions exclusively from the Configuring Access Within a Cloud Solution Environment domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCSE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

PCAACESCS-C02