Reinforce PCSE concepts with active-recall study cards covering all 5 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For PCSE preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the PCSE question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your PCSE flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real PCSE exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass PCSE.
Sample cards from the PCSE flashcard bank. Read the question, think of the answer, then read the explanation below.
A security engineer needs to prevent users from creating service account keys in a Google Cloud project. The solution must be enforceable across all projects in the organization and should not block other IAM operations. Which approach should they use?
Use the Organization Policy Service with the constraint constraints/iam.disableServiceAccountKeyCreation.
Organization Policy constraints provide a way to enforce restrictions across the resource hierarchy. The built-in constraint 'constraints/iam.disableServiceAccountKeyCreation' specifically prevents creation of service account keys at the project, folder, or organization level. It does not affect other IAM operations. IAM deny policies can deny specific permissions but are more complex to manage and apply at the org level for this specific use case. Custom roles are not designed for enforcement across projects. The Organization Policy Service is the correct choice for such organization-wide restrictions.
A security engineer needs to ensure that all customer data stored in Cloud Storage is encrypted at rest using keys that the organization manages and rotates themselves. Which encryption option should they use?
Customer-managed encryption keys (CMEK) using Cloud KMS
Customer-managed encryption keys (CMEK) using Cloud KMS is the correct choice because it allows the organization to create, manage, and rotate their own encryption keys for Cloud Storage data at rest, while still leveraging Google's infrastructure for encryption. CMEK uses Cloud KMS to wrap the data encryption keys (DEKs) with a customer-managed key encryption key (KEK), ensuring the organization retains control over key lifecycle operations such as rotation, disabling, and destruction, meeting the requirement for self-managed key rotation.
A security engineer needs to ensure that all Google Cloud API calls in the organization are logged and retained for 7 years for compliance. Admin Activity logs are enabled by default but retention is limited. Which combination of actions should the engineer take?
Create a log sink with _Required log view filter to export Admin Activity logs to Cloud Storage with a retention policy of 7 years.
Admin Activity logs are enabled by default but cannot be retained beyond the default period (400 days for audit logs). To retain for 7 years, you must use a log sink to export them to Cloud Storage (which can be configured with retention policies). BigQuery is for analysis, not archival. The default retention cannot be changed.
A security engineer needs to restrict access to Cloud Storage buckets so that only resources in a specific VPC can reach the Google APIs. Which Google Cloud service should be used?
VPC Service Controls
VPC Service Controls allows you to define a service perimeter that restricts access to Google Cloud APIs (like Cloud Storage) to only resources from authorized VPCs, preventing data exfiltration.
A healthcare organization is required to protect Protected Health Information (PHI) stored in Cloud Storage. They want to automatically detect and redact PHI before storing it. Which Google Cloud service should they use?
Cloud Data Loss Prevention (DLP)
Cloud DLP can inspect Cloud Storage buckets for sensitive data like PHI and redact or de-identify it automatically using its inspect and transform pipeline.
A company is designing a CI/CD pipeline using Cloud Build. Security requirements mandate that the pipeline deploy only to projects that have been explicitly authorized. The security team wants to use a service account that can be assumed by Cloud Build to perform deployments, and they want to restrict which projects can be deployed to using organization policies. Which approach should they take?
Use the organization policy constraint 'constraints/iam.allowedPolicyMemberDomains' and set it to only allow the service account's domain.
The organization policy constraint `constraints/iam.allowedPolicyMemberDomains` restricts which domains' principals can be granted roles in the organization. By setting this constraint to only allow the domain that contains the service account used by Cloud Build, you ensure that only service accounts from that domain can be granted roles. Then, you grant that service account the necessary deployment roles (e.g., Compute Instance Admin, Kubernetes Engine Admin) only in the explicitly authorized projects. This combination of organization policy and IAM grants restricts deployment to only those projects, meeting the security requirement.
A company must implement data residency requirements that prohibit storing data outside the European Union. They are using Cloud Bigtable and need to ensure that backups are also stored within the EU. Which configuration should they choose?
Create the Bigtable instance in a single EU region (e.g., europe-west1) and enable automatic backups.
Option D is correct because a single-region Bigtable instance in an EU region (e.g., europe-west1) ensures that all data, including backups, remains within the EU. Enabling automatic backups stores backup data in the same region, satisfying data residency requirements that prohibit storing data outside the EU.
A company wants to allow employees to access a web application running on Google Kubernetes Engine (GKE) using their corporate Active Directory credentials. The application is exposed via an HTTPS load balancer. The Security Engineer needs to integrate identity federation and ensure that only authenticated users can reach the application. Which combination of services should be used?
Set up federation between Active Directory and Google Cloud using OIDC, and enable IAP on the load balancer.
Option B is correct because it combines OIDC federation between Active Directory and Google Cloud with Identity-Aware Proxy (IAP) on the load balancer. IAP verifies user identity via OIDC tokens issued by the federated identity provider, ensuring only authenticated users can reach the application without exposing it to the public internet.
A company is deploying a multi-tier application on Google Cloud. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. The security team wants to use VPC firewall rules and Cloud NAT for outbound internet access from private instances. Which architecture meets these requirements with the least operational overhead?
Place web tier in a public subnet with public IPs. Place app/db tiers in private subnets with no public IPs. Use firewall rules to allow traffic from web to app, and app to db. Configure Cloud NAT for private subnets.
Option D is correct because it uses a single VPC with separate public and private subnets, which minimizes operational overhead while meeting the security requirements. The web tier in the public subnet gets public IPs for internet access, while the app and database tiers in private subnets have no public IPs and rely on Cloud NAT for outbound internet. Firewall rules restrict traffic to only the necessary flows (web→app, app→db), and Cloud NAT provides scalable outbound connectivity without managing a proxy VM.
A company must ensure that all Compute Engine instances use only approved images from a specific project. They want to enforce this using Organization Policy. Which constraint should they use?
constraints/compute.restrictImageUsage
The correct constraint is `constraints/compute.restrictImageUsage` because it directly controls which images can be used to create Compute Engine instances by specifying a list of allowed projects. This enforces the requirement that only approved images from a specific project are used, blocking instances launched with images from other projects.
A financial services company is migrating its on-premises application to Google Cloud. The application needs to access a Cloud SQL instance and a Cloud Storage bucket. Security requirements mandate that the application must use short-lived credentials and avoid storing long-lived service account keys. The application runs on Compute Engine. What should the Security Engineer do to meet these requirements?
Attach a service account to the Compute Engine instance with appropriate roles for Cloud SQL and Cloud Storage.
Option C is correct because attaching a service account directly to a Compute Engine instance allows the application to automatically obtain short-lived access tokens from the instance metadata server (http://169.254.169.254) for accessing Cloud SQL and Cloud Storage. This approach eliminates the need to store long-lived service account keys, meeting the security requirement for short-lived credentials.
An organization uses Cloud Audit Logs to monitor admin activity. The security team wants to be alerted when a user creates a new IAM role at the organization level. Which type of audit log should they analyze?
Admin Activity audit logs
Admin Activity audit logs (option D) are the correct choice because they record operations that modify the configuration or metadata of resources, such as creating or modifying IAM roles and policies at the organization level. In Google Cloud, Admin Activity audit logs are enabled by default and capture all 'admin write' events, including the creation of an IAM role, which is a configuration change. The security team needs to monitor these logs to detect when a user creates a new IAM role, as this is an administrative action that alters the organization's security posture.
A company is migrating its on-premises Microsoft Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They need to ensure that users can authenticate to Compute Engine Windows instances using their on-premises credentials without additional user setup. What is the most secure and scalable approach?
Create a two-way trust between the Managed Microsoft AD domain and the on-premises AD domain.
Option B is correct because establishing a two-way trust between Managed Microsoft AD and the on-premises AD domain allows users to authenticate to Compute Engine Windows instances using their existing on-premises credentials without any additional user setup. This trust enables Kerberos authentication to flow seamlessly across the two domains, ensuring that on-premises users can access cloud resources securely and scalably without duplicating identities or credentials.
A security engineer needs to ensure that a Compute Engine VM can securely access Cloud Storage buckets without exposing a public IP address. The VM is in a VPC with Private Google Access enabled. What is the recommended approach?
No additional configuration is needed; Private Google Access allows access to Cloud Storage from VMs without external IPs.
Private Google Access enables a VM without an external IP address to reach Google APIs and services, including Cloud Storage, using the VPC's internal IP and Google's private network. Since the VM is in a VPC with Private Google Access enabled, it can securely access Cloud Storage buckets without needing a public IP or additional proxy. No further configuration is required because the traffic stays within Google's network and never traverses the public internet.
Refer to the exhibit. A Security Engineer runs the command to grant Alice access to view objects in a Cloud Storage bucket. Later, Alice reports she can no longer access the bucket after January 1, 2024. What is the most likely reason?
The IAM condition expired on January 1, 2024, because the timestamp condition prevented access after that date.
Option D is correct because the IAM condition attached to the binding includes a timestamp condition that expires on January 1, 2024. When the condition is no longer satisfied, the binding becomes ineffective, and Alice loses access to the bucket. This is a common use of IAM conditions to grant time-limited access.
A company uses Cloud Identity-Aware Proxy (IAP) to secure access to an internal web application hosted on Compute Engine. After a recent security audit, the team wants to ensure that only users with specific attributes can access the app, such as belonging to the 'engineering' group and having a verified corporate email. What is the best approach to enforce this requirement?
Configure IAP with access levels that require the user to be in the 'engineering' group and have a verified email.
Option D is correct because Cloud IAP integrates with Identity-Aware Proxy access levels, which allow you to enforce attribute-based access control (ABAC) using Google Cloud's context-aware access features. By configuring an access level that requires the user to belong to the 'engineering' group (via Cloud Identity or G Suite group membership) and have a verified corporate email (e.g., using the `email_verified` attribute from the identity provider), you can precisely restrict access to the Compute Engine web application without modifying the application code.
Your organization uses Shared VPC with a host project and several service projects. You need to ensure that all egress traffic from Compute Engine instances in a service project is routed through a centralized Cloud NAT in the host project. What is the required configuration?
Configure a Cloud NAT on the Cloud Router in the host project for the subnet that is shared with the service project
Option C is correct because a Cloud NAT configured on the Cloud Router in the host project for the shared subnet allows all Compute Engine instances in service projects attached to that subnet to use the host project's NAT IP for outbound traffic. This is the only way to centralize egress traffic through the host project's Cloud NAT while respecting Shared VPC architecture, as the NAT is tied to the subnet and Cloud Router in the host project.
A security engineer is using Cloud Asset Inventory to find all Compute Engine instances that are not labeled with a 'compliance' label. Based on the exhibit, which instance(s) are missing the compliance label?
instance-2 only
Option B is correct because the exhibit shows that instance-1 has a 'compliance' label with a value of 'true', while instance-2 has no 'compliance' label at all. Cloud Asset Inventory can query assets using label filters; the absence of the 'compliance' label on instance-2 means it fails the compliance labeling requirement. Therefore, only instance-2 is missing the compliance label.
A company is using Cloud SQL for MySQL to store financial data. They need to ensure that all data is encrypted at rest and in transit. What should they do?
Use the default encryption provided by Cloud SQL and enforce SSL/TLS connections.
Option D is correct because Cloud SQL for MySQL automatically encrypts data at rest using AES-256, with no additional configuration required. To protect data in transit, you must enforce SSL/TLS connections by configuring the instance to require SSL and downloading the server certificate for client connections. This combination satisfies both encryption requirements without unnecessary complexity.
A security engineer needs to grant a data analyst read-only access to a BigQuery dataset containing customer data, but must prevent the analyst from viewing or querying a specific column that contains personally identifiable information (PII). Which approach should the engineer use?
Use BigQuery column-level security with a policy tag on the PII column, and assign the analyst a role that denies access to that tag.
Option A is correct because BigQuery column-level security uses policy tags to control access at the column level. By assigning a policy tag to the PII column and then granting the analyst a role that explicitly denies access to that tag (e.g., using a deny role or IAM deny policies), the analyst can query the dataset but will be blocked from viewing or querying the tagged column. This approach directly meets the requirement of read-only access while preventing access to the specific PII column.
A security engineer is troubleshooting an issue where a Compute Engine VM cannot connect to a Cloud SQL instance that has a private IP address. Both resources are in the same VPC network. The VM's firewall rules allow egress to any destination, and the Cloud SQL instance's authorized networks include the VPC network. What is the most likely cause of the connection failure?
The VPC network does not have a private services access connection (VPC peering) to the Service Networking API.
Cloud SQL instances with private IP addresses require a private services access connection (VPC peering) between the VPC network and the Service Networking API's managed tenant project. Without this VPC peering, the VM cannot route traffic to the Cloud SQL instance's private IP, even if both are in the same VPC network. Option C directly identifies this missing prerequisite.
A company wants to use Cloud Armor to block traffic from specific countries to comply with data sovereignty requirements. They have a global HTTP Load Balancer configured. Where should they configure the Cloud Armor policy?
Attach to the backend service of the load balancer.
Cloud Armor policies must be attached to a backend service (or backend bucket) of a global HTTP(S) Load Balancer to filter traffic at the edge. This allows the policy to evaluate incoming requests based on geographic location before they reach the backend, enforcing data sovereignty rules without modifying VPC networking or firewall rules.
Refer to the exhibit. A security engineer runs the command to view recent decrypt operations on a Cloud KMS key. The output shows a successful decryption. However, the engineer is concerned about the exposure of the plaintext. Based on the log entry, what is the most accurate statement regarding the visibility of the decrypted plaintext?
The plaintext field is redacted by Cloud KMS, and the actual plaintext is not visible in the log entry.
Option C is correct because Cloud KMS automatically redacts the plaintext field in Cloud Audit Logs for decrypt operations. The log entry shows a successful decryption, but the actual decrypted data is never written to the logs; instead, the plaintext field is replaced with a redacted marker (e.g., `[REDACTED]`). This is a security feature to prevent sensitive data from being exposed in audit logs, even to users with access to view them.
The PCSE flashcard bank covers all 5 official blueprint domains published by Google Cloud. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Configuring Access Within a Cloud Solution Environment
Ensuring Data Protection
Managing Operations in a Cloud Solution Environment
Configuring Network Security
Supporting Compliance Requirements
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that PCSE questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.PCSE questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective PCSE study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free PCSE flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 1000+ original PCSE flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Google Cloud exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official PCSE exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included