Google Cloud · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
Your organization has a VPC with several subnets hosting Compute Engine instances. You need to allow SSH access (port 22) to instances in the 'management' subnet from the internet, but only from the office's static IP range (203.0.113.0/24). All other ingress traffic to that subnet should be blocked. Which firewall rule configuration should you create?
Create an ingress rule with target tag 'management', source IP range 0.0.0.0/0, protocol tcp:22, action allow
Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol tcp:22, action deny
Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol tcp:22, action allow
Correct: Targets the subnet's instances via tag, allows SSH only from office IP.
Create an ingress rule with target tag 'management', source IP range 203.0.113.0/24, protocol all, action allow
Your company is deploying a web application on Google Kubernetes Engine (GKE) with an Internal Load Balancer (ILB) as the ingress. The application must only be accessible from within the same VPC and from an on-premises network connected via Cloud VPN. The on-premises network uses IP range 10.0.0.0/8. You have already created the ILB with a backend service. What is the most secure way to restrict access to the ILB?
Configure a VPC firewall rule to deny all ingress traffic to the ILB's forwarding rule IP address, and then create a higher-priority allow rule for the VPC and on-premises ranges
Configure the backend service's firewall rules to only allow traffic from the ILB's health check ranges and from the VPC and on-premises source ranges
Correct: Firewall rules on the backend instances allow traffic from the ILB's health check probes and from permitted source ranges, ensuring only desired traffic reaches the application.
Use GKE Network Policy to restrict ingress traffic to the application pods from the VPC and on-premises ranges
Use Cloud Armor to create a security policy that allows traffic only from the VPC and on-premises ranges, and attach it to the ILB
You have a Compute Engine VM that hosts a custom application. The VM has a tag 'app-server' and is in a VPC network with the following firewall rules (priority order from lowest to highest):
Rule 1: Priority 1000, direction INGRESS, source 0.0.0.0/0, target tag 'app-server', protocol tcp:80, action allow Rule 2: Priority 500, direction INGRESS, source 10.0.0.0/8, target tag 'app-server', protocol tcp:80, action deny Rule 3: Priority 2000, direction INGRESS, source 192.168.0.0/16, target tag 'app-server', protocol tcp:80, action allow
A user from IP 10.0.0.5 tries to access the application on port 80. Will the request be allowed or denied?
Denied, because Rule 2 has a lower priority number and explicitly denies traffic from 10.0.0.0/8
Correct: Rule 2 has priority 500, which is evaluated before Rule 1 (1000) and Rule 3 (2000). Since it matches, the deny action is applied.
Denied, because Rule 3 has a higher priority number and denies traffic from 192.168.0.0/16
Allowed, because Rule 1 has a lower priority number and allows all traffic
Allowed, because Rule 3 has a higher priority number and allows traffic from 192.168.0.0/16
Your organization uses Shared VPC with a host project and several service projects. You need to ensure that all egress traffic from Compute Engine instances in a service project is routed through a centralized Cloud NAT in the host project. What is the required configuration?
Create a firewall rule in the host project that denies all egress traffic except to the Cloud NAT IP
Set the instances to use a custom route with next-hop as the Cloud NAT IP address
Configure a Cloud NAT on the Cloud Router in the host project for the subnet that is shared with the service project
Correct: In Shared VPC, the host project owns the subnets. Cloud NAT on the host project's router for those subnets will handle egress for all instances in those subnets, including those from service projects.
Configure a Cloud NAT in each service project and associate it with the subnet that the instances use
You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?
Ingress rule on frontend: allow tcp:8080 from backend's service account; Egress rule on backend: allow all to internet
Ingress rule on backend: allow tcp:8080 from subnet A; Egress rule on backend: allow all to internet
Correct: Ingress on backend allows frontend-initiated traffic only. Egress on backend allows backend to reach internet for patches. No rule allows backend to initiate to frontend.
Ingress rule on frontend: allow tcp:8080 from subnet B; Egress rule on backend: allow all to internet
Ingress rule on backend: allow tcp:8080 from subnet A; Egress rule on frontend: deny all to internet
You are a security engineer for a company that runs a critical application on Google Cloud. You need to implement defense in depth for network security. Which TWO of the following are effective network security controls that you should implement?
OS-level host-based firewalls on each VM
VPC firewall rules to restrict traffic between subnets
VPC firewall rules are a fundamental network security control to filter traffic.
IAM roles to control who can create Compute Engine instances
Workload Identity Federation to allow workloads to authenticate to Google APIs
Cloud Armor to protect against DDoS and web application attacks
Cloud Armor is a network security service that provides WAF and DDoS protection at the edge.
Want more Configuring network security practice?
Practice this domainA company is designing a CI/CD pipeline using Cloud Build. Security requirements mandate that the pipeline deploy only to projects that have been explicitly authorized. The security team wants to use a service account that can be assumed by Cloud Build to perform deployments, and they want to restrict which projects can be deployed to using organization policies. Which approach should they take?
Use the organization policy constraint 'constraints/iam.serviceAccountKeyExpiryHours' to force key rotation.
Use the organization policy constraint 'constraints/iam.allowedPolicyMemberDomains' and set it to only allow the service account's domain.
Use the organization policy constraint 'constraints/compute.restrictCrossProjectNw' to limit network access.
Use the organization policy constraint 'constraints/iam.workloadIdentityPoolProviders' to restrict which workload identity pools can be used.
A company uses Cloud Identity-Aware Proxy (IAP) to secure access to an internal web application hosted on Compute Engine. After a recent security audit, the team wants to ensure that only users with specific attributes can access the app, such as belonging to the 'engineering' group and having a verified corporate email. What is the best approach to enforce this requirement?
Use VPC Service Controls to restrict access based on user attributes.
Disable OAuth and use a custom JWT with group membership claims.
Set up an HTTP load balancer with a custom header that passes group membership from the identity provider.
Configure IAP with access levels that require the user to be in the 'engineering' group and have a verified email.
Access levels in Context-Aware Access can enforce group membership and email verification.
A financial services company is migrating its on-premises application to Google Cloud. The application needs to access a Cloud SQL instance and a Cloud Storage bucket. Security requirements mandate that the application must use short-lived credentials and avoid storing long-lived service account keys. The application runs on Compute Engine. What should the Security Engineer do to meet these requirements?
Create a service account and use Workload Identity Federation to impersonate it.
Use Cloud Key Management Service to generate and rotate keys for the service account.
Attach a service account to the Compute Engine instance with appropriate roles for Cloud SQL and Cloud Storage.
Compute Engine automatically obtains short-lived tokens via the metadata server.
Create a service account key and store it in Cloud Secret Manager.
A DevOps team wants to grant a contractor temporary access to a specific Cloud Storage bucket for 30 days. The contractor has a Google account (example@gmail.com). The bucket contains sensitive data, and the access should be as restrictive as possible. What is the recommended way to grant this access?
Create a bucket ACL granting the contractor READ access.
Add the contractor's email to the project-level IAM policy with the 'Storage Object Viewer' role.
Add the contractor's email to the bucket-level IAM policy with the 'Storage Object Viewer' role.
Bucket-level IAM is granular and can be removed after 30 days.
Generate a signed URL for the contractor to access the bucket objects.
An organization uses Cloud Run to deploy microservices. Each microservice needs to authenticate to Cloud Pub/Sub topics. The Security Engineer wants to enforce that each service only uses its own service account and cannot impersonate others. The team also wants to rotate credentials automatically. What is the best practice to achieve this?
Assign a dedicated service account to each Cloud Run service with the necessary Pub/Sub publisher role.
Cloud Run uses the attached service account to obtain short-lived tokens automatically.
Configure each Cloud Run service to use the Compute Engine default service account and rely on the metadata server.
Use Workload Identity Federation to map each service to a Google service account.
Create a service account key for each service and store it in Cloud Secret Manager.
A company wants to allow employees to access a web application running on Google Kubernetes Engine (GKE) using their corporate Active Directory credentials. The application is exposed via an HTTPS load balancer. The Security Engineer needs to integrate identity federation and ensure that only authenticated users can reach the application. Which combination of services should be used?
Use Cloud Armor to allow only traffic from specific IP ranges and require client certificates.
Set up federation between Active Directory and Google Cloud using OIDC, and enable IAP on the load balancer.
IAP can authenticate users from an external OIDC provider.
Enable IAP and configure it to use Active Directory as an identity provider.
Configure Cloud Identity as the identity provider and use IAP.
Want more Configuring access within a cloud solution environment practice?
Practice this domainA company stores sensitive customer data in Cloud Storage. They want to ensure that data is encrypted at rest using customer-managed encryption keys (CMEK) and that access to the key is audited. Which approach should they use?
Use Google-managed encryption keys and enable Cloud Audit Logs for the bucket.
Use CMEK with key material stored in a Cloud Storage bucket.
Use customer-supplied encryption keys (CSEK) and store the keys in Secret Manager.
Use CMEK with a Cloud KMS key and enable Cloud Audit Logs for the key.
CMEK uses Cloud KMS, and audit logs track access to the key.
A security engineer needs to protect sensitive data in BigQuery. The data includes columns with personally identifiable information (PII). They want to automatically mask PII data for users with the role 'analyst' but allow full access for 'admin' users. Which approach should they use?
Use VPC Service Controls to restrict access to the dataset.
Create authorized views that exclude PII columns for the analyst role.
Use column-level access control via IAM roles to deny access to PII columns for analysts.
Apply policy tags with data masking policies to PII columns and assign the tag to the analyst role.
Policy tags with masking policies can dynamically mask data based on user's role.
A company is using Cloud SQL for MySQL to store financial data. They need to ensure that all data is encrypted at rest and in transit. What should they do?
Use client-side encryption before storing data in Cloud SQL.
Enable encryption at rest by checking a box in the Cloud Console.
Enable CMEK on the Cloud SQL instance and configure SSL/TLS.
Use the default encryption provided by Cloud SQL and enforce SSL/TLS connections.
Cloud SQL encrypts data at rest by default and supports SSL/TLS for in-transit encryption.
A company is migrating on-premises data to Cloud Storage. They have regulatory requirements to encrypt data using keys managed by their on-premises hardware security module (HSM). Which solution should they use?
Use Cloud HSM to create and manage keys.
Use Cloud External Key Manager (Cloud EKM) to reference keys in their on-premises HSM.
Cloud EKM allows using externally managed keys for Cloud Storage.
Use customer-supplied encryption keys (CSEK) for each object.
Use Cloud Key Management Service (Cloud KMS) with a key generated in the cloud.
A company has a Cloud Storage bucket containing sensitive data. They want to ensure that only users with specific IAM roles can access the bucket, and that access is logged for audit purposes. They also want to prevent public access. Which configuration steps should they take?
Use IAM roles only and enable Cloud Audit Logs, but keep ACLs enabled.
Use VPC Service Controls and enable Cloud Audit Logs.
Enable uniform bucket-level access, set IAM policies, and enable Cloud Audit Logs.
Uniform bucket-level access disables ACLs and relies solely on IAM, and audit logs track access.
Enable fine-grained access using ACLs and enable Cloud Audit Logs.
A company is using Cloud Data Loss Prevention (DLP) to inspect and de-identify sensitive data in Cloud Storage. They want to classify data using infoTypes and apply de-identification techniques. Which TWO actions should they take?
Create custom infoTypes for all sensitive data.
Use the DLP API to inspect the storage for sensitive data.
DLP API can scan and classify data using infoTypes.
Apply de-identification transformations such as masking or tokenization.
DLP supports various de-identification techniques.
Store de-identification templates in Cloud KMS.
Use VPC Service Controls to restrict access to the data.
Want more Ensuring data protection practice?
Practice this domainA security engineer needs to investigate a potential data exfiltration incident in a Google Cloud environment. The engineer has access to Cloud Logging and wants to identify any unusual outbound network traffic from Compute Engine instances. Which log sink filter should the engineer create to capture VPC flow logs for traffic destined to an external IP address not in the internal network ranges?
Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.connection.dest_ip="0.0.0.0/0"'
Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.reporter="src" AND jsonPayload.connection.dest_ip="0.0.0.0/0"'
Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.connection.dest_ip!="10.0.0.0/8" AND jsonPayload.connection.dest_ip!="172.16.0.0/12" AND jsonPayload.connection.dest_ip!="192.168.0.0/16"'
This filter captures VPC flow logs where destination IP is not in private ranges, thus external traffic.
Create a sink with filter: 'compute.googleapis.com/vpc_flows'
A financial services company runs a sensitive application on Google Kubernetes Engine (GKE) with Workload Identity enabled. Security policy requires that only pods with a specific service account can access a Cloud Storage bucket containing customer data. The bucket has uniform bucket-level access enabled. What is the correct combination of IAM bindings to achieve this?
Add the Google service account as a member of the bucket with roles/storage.objectViewer
Bind the Google service account (linked to the Kubernetes service account via Workload Identity) to the bucket IAM policy with roles/storage.objectViewer
This is the correct approach: the GSA is granted the role, and pods using the mapped KSA inherit that access.
Grant the Google service account roles/storage.objectViewer at the project level
Bind the Kubernetes service account to the bucket IAM policy with roles/storage.objectViewer
A security engineer is tasked with automating the remediation of non-compliant resources in a Google Cloud organization. The organization uses Organization Policy Service to enforce constraints. The engineer needs to automatically disable a specific service (e.g., Compute Engine API) for a project that violates a policy. Which Google Cloud service should be used to trigger this remediation?
Cloud Build
Cloud Run
Cloud Scheduler
Cloud Functions
Cloud Functions can be triggered by logs or Pub/Sub messages to perform automated remediation actions.
A company is migrating to Google Cloud and wants to ensure that all service account keys are rotated automatically every 90 days. The security engineer needs to implement a solution that detects keys older than 90 days and notifies the security team. What is the most efficient way to achieve this?
Use Cloud Monitoring to query the IAM API for key creation timestamps and trigger an alert
Use Cloud Asset Inventory to list service account keys, then run a Cloud Scheduler job that invokes a Cloud Function to check key ages and send notifications
This combination efficiently checks key ages periodically and alerts.
Create a log-based metric for service account key creation and set up an alert in Cloud Monitoring
Configure a custom role in Cloud IAM that denies access to keys older than 90 days
A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project uses Cloud Storage and BigQuery. The engineer wants to ensure that data cannot be exfiltrated to external IP addresses outside the perimeter, but internal users should still be able to access the data from on-premises via a VPN. Which configuration should be applied?
Do not use VPC Service Controls; instead, rely on IAM permissions and firewall rules to control access
Add the project to a VPC Service Controls perimeter and configure an ingress rule to allow traffic from the on-premises VPN CIDR ranges
Ingress rules allow specific external sources (like VPN CIDR) to access the perimeter.
Create a separate perimeter that denies all traffic and apply it to the project
Add the project to a VPC Service Controls perimeter with no additional ingress rules
A security engineer is investigating a potential data breach in a Google Cloud environment. The engineer suspects that a compromised service account key was used to access Cloud Storage buckets. Which TWO actions should the engineer take immediately to mitigate the risk?
Disable the service account
Disabling the service account immediately revokes all access for that account.
Revoke all IAM roles granted to the service account
Rotate the service account key
Delete the compromised service account key
Deleting the key immediately invalidates it.
Enable Cloud Audit Logs for the service account
Want more Managing operations in a cloud solution environment practice?
Practice this domainA company needs to retain audit logs for 7 years to meet regulatory compliance. They are using Cloud Logging. Which log storage strategy should they use to minimize costs while meeting the requirement?
Store logs in the _Required log bucket with a custom retention of 7 years.
Disable logging for non-critical resources to reduce log volume and retain only essential logs.
Use a log sink to export logs to Cloud Storage with a retention policy of 7 years and nearline storage class.
Log sinks can export to Cloud Storage, and a retention policy ensures logs are kept for 7 years. Nearline storage class reduces cost.
Use a log sink to export logs to BigQuery and set the table expiration to 7 years.
A healthcare organization must ensure that only authorized personnel can access Protected Health Information (PHI) stored in Cloud Storage. They need to enforce encryption at rest and control access based on data classification. Which combination of Google Cloud services should they use?
Use customer-supplied encryption keys (CSEK) and Cloud Audit Logs.
Use Cloud HSM for key management and Cloud DLP to inspect data.
Enable Access Transparency and use Organization Policies to restrict resource locations.
Use customer-managed encryption keys (CMEK) with Cloud KMS and VPC Service Controls.
CMEK provides key control; VPC Service Controls prevent data exfiltration beyond the perimeter.
A financial services company is deploying a multi-region application on Google Kubernetes Engine (GKE) and needs to comply with PCI DSS. They must ensure that cardholder data is encrypted in transit between pods in different clusters. What is the MOST secure way to achieve this?
Configure TLS for each service using a Cloud Load Balancing with SSL policies.
Enable Anthos Service Mesh with mutual TLS (mTLS) across clusters.
mTLS in a service mesh provides encryption and authentication for inter-pod traffic.
Use HTTPS between services by configuring ingress with a Google-managed SSL certificate.
Use VPC Network Peering to connect the clusters and rely on the internal network encryption.
A company must implement data residency requirements that prohibit storing data outside the European Union. They are using Cloud Bigtable and need to ensure that backups are also stored within the EU. Which configuration should they choose?
Create the Bigtable instance with multi-region placement in europe-west1 and europe-west4.
Create an instance in a dual-region configuration (e.g., europe-west1 and europe-west4) and use backup policies.
Use a single-region instance in europe-west1 with customer-managed encryption keys (CMEK) for backups.
Create the Bigtable instance in a single EU region (e.g., europe-west1) and enable automatic backups.
Backups are stored in the same region as the instance, ensuring data stays in the EU.
A company is migrating to Google Cloud and needs to comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to use Cloud SQL for MySQL and Cloud Storage. Which TWO actions must they take to ensure HIPAA compliance?
Sign a Business Associate Agreement (BAA) with Google Cloud.
A BAA is required for any HIPAA-covered entity using Google Cloud services.
Disable automatic backups to prevent exposure of protected health information (PHI).
Enable encryption at rest for Cloud SQL and Cloud Storage.
HIPAA requires encryption of PHI at rest.
Implement VPC Service Controls to create a perimeter around the projects.
Use customer-managed encryption keys (CMEK) for all services.
A company needs to comply with the General Data Protection Regulation (GDPR). They are using BigQuery to store personal data. Which THREE measures should they implement to meet GDPR requirements?
Enable audit logs via Cloud Audit Logs to track access to personal data.
Audit logs are necessary for demonstrating compliance.
Use Cloud KMS to encrypt individual columns containing personal data.
Store data in a multi-region location like 'EU' to ensure availability across regions.
Use Cloud DLP to classify and de-identify sensitive columns before loading into BigQuery.
Cloud DLP helps identify and protect personal data.
Enable data deletion by using DML statements to remove personal data when requested.
GDPR's right to erasure requires the ability to delete personal data.
Want more Supporting compliance requirements practice?
Practice this domainThe PCSE exam has 60 questions and must be completed in 120 minutes. The passing score is 720/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 5 domains: Configuring network security, Configuring access within a cloud solution environment, Ensuring data protection, Managing operations in a cloud solution environment, Supporting compliance requirements. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Google Cloud PCSE exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.