Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Configuring access within a cloud solution environment practice sets

PCSE Configuring access within a cloud solution environment • Complete Question Bank

PCSE Configuring access within a cloud solution environment — All Questions With Answers

Complete PCSE Configuring access within a cloud solution environment question bank — all 0 questions with answers and detailed explanations.

105
Questions
Free
No signup
Certifications/PCSE/Practice Test/Configuring access within a cloud solution environment/All Questions
Question 1mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company is designing a CI/CD pipeline using Cloud Build. Security requirements mandate that the pipeline deploy only to projects that have been explicitly authorized. The security team wants to use a service account that can be assumed by Cloud Build to perform deployments, and they want to restrict which projects can be deployed to using organization policies. Which approach should they take?

Question 2mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company uses Cloud Identity-Aware Proxy (IAP) to secure access to an internal web application hosted on Compute Engine. After a recent security audit, the team wants to ensure that only users with specific attributes can access the app, such as belonging to the 'engineering' group and having a verified corporate email. What is the best approach to enforce this requirement?

Question 3hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A financial services company is migrating its on-premises application to Google Cloud. The application needs to access a Cloud SQL instance and a Cloud Storage bucket. Security requirements mandate that the application must use short-lived credentials and avoid storing long-lived service account keys. The application runs on Compute Engine. What should the Security Engineer do to meet these requirements?

Question 4easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A DevOps team wants to grant a contractor temporary access to a specific Cloud Storage bucket for 30 days. The contractor has a Google account (example@gmail.com). The bucket contains sensitive data, and the access should be as restrictive as possible. What is the recommended way to grant this access?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

An organization uses Cloud Run to deploy microservices. Each microservice needs to authenticate to Cloud Pub/Sub topics. The Security Engineer wants to enforce that each service only uses its own service account and cannot impersonate others. The team also wants to rotate credentials automatically. What is the best practice to achieve this?

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to allow employees to access a web application running on Google Kubernetes Engine (GKE) using their corporate Active Directory credentials. The application is exposed via an HTTPS load balancer. The Security Engineer needs to integrate identity federation and ensure that only authenticated users can reach the application. Which combination of services should be used?

Question 7mediummulti select
Read the full Configuring access within a cloud solution environment explanation →

A Security Engineer is designing access controls for a multi-cloud environment where workloads on Google Cloud need to access on-premises databases. The company wants to use long-lived credentials. Which TWO options are valid approaches? (Choose TWO.)

Question 8hardmulti select
Read the full Configuring access within a cloud solution environment explanation →

A company wants to enforce that all access to Cloud Storage buckets in a project is encrypted with Customer-Managed Encryption Keys (CMEK). The Security Engineer needs to configure the organization policy to meet this requirement. Which THREE steps should be taken? (Choose THREE.)

Question 9hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

Refer to the exhibit. A Security Engineer runs the command to grant Alice access to view objects in a Cloud Storage bucket. Later, Alice reports she can no longer access the bucket after January 1, 2024. What is the most likely reason?

Network Topology
gcloud projects add-iam-policy-binding my-projectmember='user:alice@example.com'role='roles/storage.objectViewer'condition='expression=request.time < timestamp
Question 10mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

Refer to the exhibit. A Security Engineer is reviewing the IAM policy for a project. An administrator reports that a user named admin@example.com cannot create firewall rules, even though the command should allow it. According to the policy, what is the most likely reason?

Exhibit

{
  "bindings": [
    {
      "role": "roles/compute.instanceAdmin.v1",
      "members": [
        "user:admin@example.com"
      ]
    },
    {
      "role": "roles/compute.networkAdmin",
      "members": [
        "user:admin@example.com"
      ]
    },
    {
      "role": "roles/compute.securityAdmin",
      "members": [
        "group:security-team@example.com"
      ]
    }
  ],
  "etag": "BwX9X9X9X9X="
}
Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Cloud SQL for PostgreSQL with IAM database authentication. A security engineer needs to grant a user named 'analyst@example.com' the ability to run SELECT queries on the 'orders' table. The user is a member of the group 'analysts@example.com'. What is the correct combination of IAM and database permissions?

Question 12easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A security engineer needs to ensure that a Compute Engine VM can securely access Cloud Storage buckets without exposing a public IP address. The VM is in a VPC with Private Google Access enabled. What is the recommended approach?

Question 13mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company uses Organization Policies to restrict resource locations. They want to allow resources only in 'us-central1' and 'europe-west1'. They also need to allow a specific project to use 'us-east1' for a temporary workload. What is the correct organization policy configuration?

Question 14mediummulti select
Read the full Configuring access within a cloud solution environment explanation →

A company wants to implement least privilege for a service account that needs to read objects from a Cloud Storage bucket and publish messages to a Pub/Sub topic. Which TWO IAM roles should be granted to the service account? (Choose TWO)

Question 15hardmulti select
Read the full Configuring access within a cloud solution environment explanation →

A security team is designing access controls for a multi-tenant SaaS application on Google Kubernetes Engine (GKE). Each tenant has a separate namespace. They want to ensure that a DevOps team can manage deployments across all namespaces, but cannot modify secrets in the 'tenant-alpha' namespace. Which THREE Kubernetes RBAC resources should be created? (Choose THREE)

Question 16mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

Refer to the exhibit. A security engineer runs the commands shown. The command 'gcloud compute instances list' fails with a permission denied error. The service account key belongs to a service account with the role 'roles/compute.viewer' on the project. What is the most likely cause?

Network Topology
gcloud auth activate-service-accountkey-file=key.jsongcloud config set project my-projectgcloud compute instances list
Question 17hardmultiple choice
Read the full VPN explanation →

Your company has a hybrid cloud environment with on-premises servers and Google Cloud. You are using Cloud VPN to connect the on-premises network to a VPC in us-central1. The on-premises network uses RFC 1918 addresses (10.0.0.0/8). The VPC has subnets in 10.0.0.0/8 as well, causing IP overlap. To resolve this, you have configured the VPC with a custom IP range of 172.16.0.0/12 and migrated some workloads. However, some legacy on-premises servers still need to access a specific set of Compute Engine VMs in the VPC. The security team requires that only authenticated service accounts from the VPC can access on-premises resources, and that traffic from on-premises to Google Cloud must be limited to specific ports (e.g., 443, 8443). You have set up a Cloud VPN tunnel with route-based VPN. What should you do to enforce these access controls?

Question 18easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

You are a security engineer for a startup that uses Google Workspace and Google Cloud. You have been asked to allow a contractor, who has a Google account (contractor@example.com), to manage Cloud Storage buckets in a specific project. The contractor should not have access to any other resources. You create a custom role with the necessary permissions and grant it to the user at the project level. However, the contractor reports that they cannot see the project in the Cloud Console. What is the most likely reason?

Question 19mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company uses Cloud Functions with a service account that has the role 'roles/cloudfunctions.invoker' to allow unauthenticated invocation. They want to change this so that only authenticated requests from a specific Cloud Scheduler job can invoke the function. The Cloud Scheduler job runs in the same project and uses a service account with the role 'roles/cloudscheduler.serviceAgent'. The security engineer updates the Cloud Function's ingress settings to 'Allow internal traffic only' and removes the 'allUsers' invoker binding. However, the Cloud Scheduler job now fails with a 403 error. What should the engineer do to fix this?

Question 20mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company has deployed a multi-region Kubernetes cluster using GKE. The security team wants to ensure that only pods with a specific service account can access a Cloud Storage bucket containing sensitive data. What is the best practice to achieve this?

Question 21hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

An organization uses Cloud Run to deploy microservices. They need to restrict access to a specific Cloud Run service to only requests coming from a different Cloud Run service within the same project. The services communicate over HTTP. Which configuration should be used?

Question 22easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A security engineer needs to grant a data analyst read-only access to a BigQuery dataset containing customer data, but must prevent the analyst from viewing or querying a specific column that contains personally identifiable information (PII). Which approach should the engineer use?

Question 23mediumdrag order
Read the full Configuring access within a cloud solution environment explanation →

Drag and drop the steps to set up Cloud Armor with a WAF rule in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 24mediumdrag order
Read the full Configuring access within a cloud solution environment explanation →

Drag and drop the steps to set up a Private Google Access for on-premises hosts using Private Service Connect in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 25mediummatching
Read the full Configuring access within a cloud solution environment explanation →

Match each IAM role to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full management of Compute Engine resources

Read-only access to Cloud Storage objects

Manage service accounts and keys

Manage Cloud KMS keys and key rings

Manage organization policies

Question 26mediummatching
Read the full Configuring access within a cloud solution environment explanation →

Match each Google Cloud logging/monitoring term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Routes logs to a destination (e.g., BigQuery, Pub/Sub)

Storage location for log entries

Counts log entries matching a filter

Records of admin and data access activities

Copies logs to a Cloud Storage or BigQuery

Question 27mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company uses multiple Google Cloud projects. A service account in Project A needs to read data from a Cloud Storage bucket in Project B. What is the correct way to grant access?

Question 28easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A user receives a "403 Forbidden" error when trying to access a Compute Engine instance via SSH from the Cloud Console. The user has the Compute Admin role on the project. What is the most likely cause?

Question 29hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

An organization wants to allow a group of external auditors read-only access to specific BigQuery datasets in a project, but only during working hours (9 AM to 5 PM). The auditors belong to an external Google Workspace domain. Which IAM configuration should be used?

Question 30mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A security team wants to explicitly deny access to a Cloud Storage bucket for all users except the bucket owner. Currently, there are allow policies at the project level granting Storage Object Viewer to all users. What is the most efficient way to implement this?

Question 31easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company has a Google Group called team-a@example.com that contains all developers. The developers need to deploy Cloud Functions. What is the best practice to grant the necessary permissions?

Question 32hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

An organization wants to enforce that all Compute Engine instances are created with a specific service account that has only the permissions defined by a custom role. Additionally, users must not be able to override this service account. Which two mechanisms should be combined?

Question 33mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company wants to allow its on-premises applications to access Google Cloud resources using short-lived credentials without storing a service account key file. Which solution should they use?

Question 34easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A developer is creating a Cloud Function that needs to access a Cloud SQL database. They have granted the function's service account the Cloud SQL Client role. However, the function still gets permission denied. What is the most likely issue?

Question 35hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A security auditor needs to review all IAM policy changes made in the last 30 days across multiple projects. The auditor has the Organization Viewer role at the organization level. What is the most efficient way to provide access without giving unnecessary permissions?

Question 36mediummulti select
Read the full Configuring access within a cloud solution environment explanation →

Which TWO practices help implement the principle of least privilege when configuring access to Google Cloud resources? (Choose two.)

Question 37hardmulti select
Read the full Configuring access within a cloud solution environment explanation →

Which THREE are valid considerations when designing cross-organization access for Cloud Storage? (Choose three.)

Question 38mediummulti select
Read the full Configuring access within a cloud solution environment explanation →

Which TWO are correct statements about IAM deny policies? (Choose two.)

Question 39easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A new employee needs to be able to create and manage Compute Engine instances. Which role should be granted at the project level?

Question 40mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company uses Cloud Storage buckets to store sensitive data. They want to allow a third-party auditor to list bucket contents but not download the objects. Which IAM role should be assigned?

Question 41hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

An organization wants to enforce that all Cloud Storage buckets are created with uniform bucket-level access enabled. Which policy can be used to achieve this?

Question 42easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A user is getting a permission denied error when trying to access a Cloud SQL instance from a Compute Engine VM. The VM's service account has the Cloud SQL Client role. What is the most likely cause?

Question 43mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A DevOps team wants to allow a CI/CD pipeline to deploy to Compute Engine using a service account. What is the best practice for managing service account keys?

Question 44hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company uses Access Context Manager to restrict access to Cloud Resources based on device policy. They want to allow access only from devices that are company-managed and have disk encryption enabled. What should they configure?

Question 45easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

An application needs to authenticate to Google Cloud APIs from an on-premises server. Which approach is recommended for long-lived access?

Question 46mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A security administrator wants to ensure that only requests coming through Identity-Aware Proxy (IAP) can access a backend service running on Compute Engine. Which configuration is required?

Question 47hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company uses multiple GCP projects and wants to allow a service account from Project A to initiate Dataflow jobs in Project B. The service account in Project A has the Dataflow Developer role at the organization level. However, it fails with permission denied when trying to submit a job to Project B. What is the most likely issue?

Question 48mediummulti select
Read the full Configuring access within a cloud solution environment explanation →

A company wants to implement least privilege access for a team that needs to monitor and manage Cloud Run services. Which two IAM roles should be considered? (Choose two.)

Question 49hardmulti select
Read the full Configuring access within a cloud solution environment explanation →

An organization is designing a secure multi-tenant SaaS environment on GKE. They want to isolate tenant workloads using GKE namespaces and IAM. Which two steps should they take? (Choose two.)

Question 50easymulti select
Read the full Configuring access within a cloud solution environment explanation →

A security engineer needs to set up access for a new team that will manage Cloud Storage buckets and objects. Which three IAM roles might be appropriate based on least privilege? (Choose three.)

Question 51hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A security engineer created the following IAM policy for a service account. The service account reports that it cannot access objects in bucket 'my-bucket'. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "serviceAccount:sa@project.iam.gserviceaccount.com"
      ],
      "condition": {
        "title": "restrict_to_bucket",
        "expression": "resource.name.startsWith('projects/my-project/buckets/my-bucket/objects/')"
      }
    }
  ]
}
```
Question 52mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A Dataflow job launched by service account 'my-sa@...' fails with permission denied. The audit log shows the above entry. What missing role is causing the failure?

Exhibit

Refer to the exhibit.
```
Audit Log Entry:
{
  "serviceName": "dataflow.googleapis.com",
  "methodName": "google.cloud.dataflow.v1beta3.Jobs.Create",
  "authenticationInfo": {
    "principalEmail": "my-sa@my-project.iam.gserviceaccount.com"
  },
  "authorizationInfo": [
    {
      "resource": "projects/my-project/serviceAccounts/my-project-compute@developer.gserviceaccount.com",
      "permission": "iam.serviceAccounts.actAs",
      "granted": false
    }
  ]
}
```
Question 53easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A user is unable to create a Compute Engine instance using a custom image from a family. What is the missing permission?

Network Topology
image-family=my-imageimage-project=my-image-projectRefer to the exhibit.```
Question 54mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company has two Google Cloud projects: Project A (production) and Project B (development). They want to allow a service account in Project B to list Compute Engine instances in Project A. What is the most secure way to grant this access?

Question 55hardmultiple choice
Read the full NAT/PAT explanation →

A security team needs to enforce that only requests originating from a corporate IP range (203.0.113.0/24) can access a Cloud Storage bucket containing sensitive data. They have created a custom IAM role with storage.objects.get permission and attached a condition that requires the request to have a specific IP address. However, some legitimate users outside the IP range are unable to access the data. What is the most likely cause?

Question 56easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A developer needs to create and manage Compute Engine instances in a project. They require the ability to start, stop, and view instances, but should not be able to delete or modify network configurations. Which predefined role should be assigned?

Question 57mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

Refer to the exhibit. The output shows that Alice has the following IAM policy binding:

{
  "role": "roles/storage.objectAdmin",
  "members": ["user:alice@example.com"],
  "condition": {
    "title": "storage_access_condition",
    "expression": "request.time < timestamp('2024-12-31T23:59:59Z') && source.ip in ['203.0.113.0/24']"
  }
}

Alice is currently working from an IP address 198.51.100.10, and the date is 2025-01-01. What is the result when Alice tries to upload an object to a bucket in this project?

Network Topology
gcloud projects get-iam-policy my-projectformat=json
Question 58hardmulti select
Read the full Configuring access within a cloud solution environment explanation →

A company wants to use service account keys for an on-premises application that needs to authenticate to Google Cloud APIs. Which two practices should they follow to minimize security risks? (Choose TWO.)

Question 59easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company has an on-premises Active Directory and wants to allow on-premises users to access Google Cloud resources using their existing credentials without synchronizing passwords to Google Cloud. Which identity federation solution should they use?

Question 60mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

Refer to the exhibit. A Terraform configuration applies an IAM binding with a condition. After applying this configuration, a member of the group data-scientists@example.com tries to query a BigQuery dataset on July 1, 2025. What will be the result?

Exhibit

resource "google_project_iam_binding" "project" {
  project = "my-project"
  role    = "roles/bigquery.dataViewer"
  members = [
    "group:data-scientists@example.com",
  ]
  condition {
    title       = "limited_time"
    expression  = "request.time < timestamp('2025-06-30T00:00:00Z')"
  }
}
Question 61hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company has deployed a Cloud Run service that needs to access a Cloud SQL database. They have configured a service account for the Cloud Run service and granted it the Cloud SQL Client role. However, the application is receiving 'Permission denied' errors when trying to connect to the database. The database has a private IP and is in a VPC. What is the most likely cause?

Question 62mediummulti select
Read the full Configuring access within a cloud solution environment explanation →

An organization wants to enforce that all IAM policy changes in their Google Cloud organization are logged and require approval. Which three Google Cloud capabilities can help achieve this? (Choose THREE.)

Question 63easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company wants to provide secure access to an internal web application hosted on Compute Engine without exposing it to the public internet. Which Google Cloud service should they use?

Question 64hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

Refer to the exhibit. An organization has the above IAM policy on a project. The user user@example.com is trying to view a list of objects in a bucket from IP address 10.1.1.1. What will be the result?

Exhibit

{
  "bindings": [
    {
      "role": "roles/storage.admin",
      "members": ["user:admin@example.com"]
    },
    {
      "role": "roles/storage.objectViewer",
      "members": ["user:user@example.com"],
      "condition": {
        "title": "ip_restriction",
        "expression": "source.ip in ['10.0.0.0/8']"
      }
    }
  ]
}
Question 65mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company assigns roles to Google Groups to simplify management. They have a group called data-engineers@example.com that needs access to BigQuery datasets. Instead of adding each user individually, they want to grant the group roles/bigquery.dataViewer at the project level. After granting the role, a new member added to the group reports they cannot query a dataset. What is the most likely reason?

Question 66easymulti select
Read the full Configuring access within a cloud solution environment explanation →

Which two authentication methods are available for applications to authenticate to Google Cloud APIs without using a service account key? (Choose TWO.)

Question 67hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A security team wants to audit all actions performed by users on a critical Cloud Storage bucket. They have enabled Data Access audit logs. However, they notice that read requests are not being logged. What should they do to ensure all read requests are logged?

Question 68easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

An organization uses Cloud Identity to manage users and groups. They want to synchronize their existing on-premises Active Directory with Cloud Identity. Which tool should they use?

Question 69easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company wants to grant a support team member the ability to view the IAM policy of a project (who has which roles) without being able to modify it. What is the least privileged predefined role that provides this access?

Question 70mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A DevOps engineer accidentally assigned the role roles/editor to a service account used by a backend service. This gives the service account excessive permissions. The engineer wants to remove the role from the service account. What is the correct command?

Question 71mediummultiple choice
Review the full subnetting walkthrough →

An administrator wants to enforce that a user can only create virtual machines in a specific subnet of a VPC network. What IAM condition should be added to the compute.instanceAdmin role binding?

Question 72easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company uses Organization Policies to restrict public IP addresses on Compute Engine instances. An engineer created a new project and cannot launch any instances because the organization policy denies external IPs. However, the engineer needs to launch a bastion host with an external IP. What should they do?

Question 73easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company wants to grant a user the ability to delete a Cloud SQL instance but not be able to modify any other settings. What is the least privileged role?

Question 74mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company uses Binary Authorization for their GKE clusters. They want to ensure that only images signed by their internal CI/CD system can be deployed. Which IAM role is required for the CI/CD service account to attach attestations?

Question 75hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

An organization has three projects: dev, staging, prod. They use Cloud Build to deploy code. The Cloud Build service account in the dev project needs to deploy to GKE in the prod project. To allow cross-project deployment, what should the Cloud Build service account be granted in the prod project?

Question 76easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company has a policy that only specific service accounts can be used on Compute Engine instances. How can this be enforced?

Question 77easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A user has been granted the role roles/editor on a folder. What is the effective access in the projects within that folder? (Assume no deny policies)

Question 78mediummulti select
Read the full Configuring access within a cloud solution environment explanation →

A company wants to allow a third-party auditor to view their organization's IAM policies and logs but not make any changes. Which two predefined roles should be granted? (Choose two.)

Question 79hardmulti select
Read the full Configuring access within a cloud solution environment explanation →

An organization wants to enforce that all Compute Engine instances must use a specific service account. Which three steps are necessary? (Choose three.)

Question 80mediummulti select
Read the full Configuring access within a cloud solution environment explanation →

A user should be able to download and delete objects in a specific Cloud Storage bucket. Which two permissions are required in a custom role? (Choose two.)

Question 81hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A user with this role tries to create a VM instance with a specific machine type and boot disk image. The creation fails due to missing permissions. Which permission is most likely missing?

Exhibit

Consider the following custom role definition:
roles:
- name: myCustomRole
  title: My Custom Role
  includedPermissions:
  - compute.instances.create
  - compute.instances.delete
  - compute.instances.get
  - compute.disks.create
  - compute.disks.get
  - compute.subnetworks.use
  - compute.images.useReadOnly
Question 82hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

Alice tries to connect to Cloud SQL instance 'prod-instance' using the Cloud SQL Auth proxy. Will she succeed? Why?

Exhibit

The following IAM policy was applied on a project:
bindings:
- members:
  - user: alice@example.com
  role: roles/cloudsql.admin
  condition:
    expression: "resource.name.startsWith('projects/PROJECT_ID/instances/dev-')"
    title: "dev_only"
- members:
  - user: alice@example.com
  role: roles/cloudsql.client
  condition: {}
Question 83hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

User user1@domain.com tries to SSH into a Compute Engine instance that has the service account sa1@project.iam.gserviceaccount.com attached. Will the SSH connection succeed? (Assume no other policies)

Exhibit

The following gcloud command output shows the IAM policy for a project:
- role: roles/compute.instanceAdmin
  members:
  - serviceAccount:sa1@project.iam.gserviceaccount.com
- role: roles/compute.viewer
  members:
  - user:user1@domain.com
- role: roles/iam.serviceAccountUser
  members:
  - user:user1@domain.com
Question 84easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company wants to grant a third-party auditor read-only access to specific BigQuery datasets in a project. The auditor's identity is managed in their own Google Cloud organization. What is the most secure way to grant access?

Question 85mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

An organization has multiple Google Cloud projects and wants to enforce a policy that all new projects automatically have a specific set of IAM roles bound to an internal audit group at the project level. Which approach should be taken?

Question 86hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A security engineer is troubleshooting access to a Cloud Storage bucket. The bucket has uniform bucket-level access enabled. The engineer's user account has the roles/storage.objectViewer role at the project level, but they get a 403 error when trying to download an object. What is the most likely cause?

Question 87mediummultiple choice
Review the full subnetting walkthrough →

A company wants to allow a Compute Engine VM to access a Cloud SQL instance without exposing the SQL instance to the internet. The VM is in the same VPC but different subnet. Which configuration is required?

Question 88hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

An organization uses Cloud Identity-Aware Proxy (IAP) to secure access to an internal web application running on Compute Engine. Users are authenticated with Google accounts. Recently, some users report being denied access even though they are in the correct IAP-secured Web App User group. What is the most likely cause?

Question 89easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A developer needs to deploy a Cloud Run service that will read from a Cloud Pub/Sub topic. What is the least privileged IAM role to grant to the Cloud Run service's service account?

Question 90mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A security team wants to ensure that all service account key creation events in their organization are logged and alerted on. Which logging feature should they use?

Question 91easymulti select
Read the full Configuring access within a cloud solution environment explanation →

Which TWO of the following are valid ways to grant cross-project access to a Cloud Storage bucket in Project A from a Compute Engine VM in Project B?

Question 92mediummulti select
Read the full Configuring access within a cloud solution environment explanation →

Which THREE of the following are best practices for managing service accounts in Google Cloud?

Question 93hardmulti select
Read the full Configuring access within a cloud solution environment explanation →

Which TWO of the following are true regarding Cloud Identity and Access Management (IAM) conditions?

Question 94easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A small business runs a single Google Cloud project with a few Compute Engine instances. The administrator created a custom IAM role with the permission compute.instances.stop to allow a junior admin to stop instances. However, the junior admin reports that when they try to stop an instance, they get a 403 error. The junior admin has the custom role bound at the project level. What is the most likely cause?

Question 95mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A large enterprise has multiple Google Cloud organizations due to an acquisition. They want to allow a team in Org A to access a Cloud Spanner database in Org B. The team in Org A uses a service account for their application. They have set up Workload Identity Federation between the two organizations. The service account in Org B has the roles/spanner.databaseUser role on the database. The service account in Org A has been granted the roles/iam.workloadIdentityUser role on the service account in Org B. However, access attempts are failing with a permission denied error. What is the most likely missing configuration?

Question 96hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company has a Google Cloud organization with several hundred projects. They are using VPC Service Controls to protect sensitive data in BigQuery. They have a service perimeter that includes the projects containing the sensitive datasets. Users in a separate perimeter (perimeter B) need to query a BigQuery dataset in the sensitive perimeter using federated queries from Cloud SQL. The users are authenticated via Cloud Identity and have appropriate IAM roles, but queries are failing. The Cloud SQL instance is in perimeter B. What is the most likely cause?

Question 97hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A financial services company is migrating to Google Cloud and needs to enforce strict access controls. They want to ensure that all access to Cloud Storage buckets containing sensitive data is logged and that only authorized IP ranges can write to those buckets. They have set up IAM conditions to allow access only from the corporate IP range. However, they notice that some write operations are not being logged in the Cloud Audit Logs for the bucket. The write operations are coming from a service account that is part of a batch job running on Compute Engine instances within the corporate network. What is the most likely reason for the missing logs?

Question 98easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A startup is using Cloud Functions to process files uploaded to a Cloud Storage bucket. The Cloud Function is triggered by finalize events on the bucket. The developers created a service account for the Cloud Function and granted it the roles/storage.objectViewer role on the bucket. However, the function fails with a permission denied when trying to read the file. The function has the following XML in the event context: 'event_id'. What is the most likely issue?

Question 99easymulti select
Read the full NAT/PAT explanation →

A security engineer is configuring service account impersonation for cross-project access. Which two statements about service account impersonation are true? (Choose two.)

Question 100mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare company's data science team needs to query BigQuery tables containing sensitive patient data. The company policy requires that all queries be logged and audited. The team has been granted the bigquery.user role on the project. However, when attempting to query a specific table in a dataset, they receive the error: "Access Denied: Table X: User does not have permission to query table X." The dataset has a custom IAM role assigned to the team's Google Group. The custom role includes the permissions: bigquery.datasets.get, bigquery.tables.get, bigquery.tables.list, and bigquery.jobs.create. The engineer verifies that the bigquery.user role does include bigquery.jobs.create. The engineer also confirms that the table exists and the dataset is in the same region as the project. What is the most likely cause of the access denied error?

Question 101hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a least-privilege access model for their CI/CD pipeline using Cloud Build, Artifact Registry, and GKE. The pipeline builds container images, pushes them to Artifact Registry, and deploys them to GKE clusters. The security team wants to ensure that the Cloud Build service account used by the pipeline has only the minimum necessary permissions. The service account currently has: roles/cloudbuild.builds.editor, roles/artifactregistry.writer, and roles/container.developer. After a successful build and push, the deployment step completes without errors, but the newly deployed pods on GKE immediately fail with ImagePullBackOff errors. The error message indicates: "Failed to pull image 'us-central1-docker.pkg.dev/my-project/my-repo/my-image:latest': rpc error: code = PermissionDenied desc = unauthenticated: Request had insufficient authentication scopes." The GKE cluster is a private cluster with Workload Identity enabled. The node pool uses a default Compute Engine service account with only the storage scope. What is the most likely missing permission or configuration that prevents the pods from pulling images?

Question 102easymultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A startup company has a single Google Cloud project with multiple developers. To simplify identity management, they created a service account for each developer and granted them the roles/editor role on the project. However, the security team is concerned about the over-privileged access. They want to implement a more secure approach while maintaining operational efficiency. The developers need to: create Compute Engine instances, manage Cloud Storage buckets, and deploy App Engine apps. The company has a small team and does not require fine-grained access control per developer. What is the recommended approach to reduce privileges while meeting the developers' needs?

Question 103easymulti select
Read the full Configuring access within a cloud solution environment explanation →

A company needs to grant a service account the ability to manage Compute Engine instances (start, stop, create) in a specific set of projects. The administrator wants to follow the principle of least privilege. Which TWO steps should the administrator take? (Choose TWO.)

Question 104mediummultiple choice
Read the full Configuring access within a cloud solution environment explanation →

Refer to the exhibit. A security engineer reviews the IAM policy for a service account. What is the effect of the condition?

Exhibit

{
  "bindings": [
    {
      "role": "roles/iam.serviceAccountUser",
      "members": ["user:alice@example.com"],
      "condition": {
        "expression": "request.time < timestamp('2025-12-31T23:59:59Z')",
        "title": "expire_access"
      }
    }
  ]
}
Question 105hardmultiple choice
Read the full Configuring access within a cloud solution environment explanation →

A company uses a shared VPC with multiple service projects. A security administrator created an organization policy with the constraint 'gcp.resourceLocations' to restrict Cloud SQL instance creation to only the 'us-central1' region. The policy is applied at the organization level. A Cloud SQL administrator is using a service account with the predefined role 'roles/cloudsql.admin' (also granted at the organization level) to create instances. Despite the organization policy, the service account successfully creates a Cloud SQL instance in the 'europe-west1' region. The administrator verifies that the organization policy is active and the constraint is enforced. What is the most likely reason the policy is not preventing the creation?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCSE Practice Test 1 — 10 Questions→PCSE Practice Test 2 — 10 Questions→PCSE Practice Test 3 — 10 Questions→PCSE Practice Test 4 — 10 Questions→PCSE Practice Test 5 — 10 Questions→PCSE Practice Exam 1 — 20 Questions→PCSE Practice Exam 2 — 20 Questions→PCSE Practice Exam 3 — 20 Questions→PCSE Practice Exam 4 — 20 Questions→Free PCSE Practice Test 1 — 30 Questions→Free PCSE Practice Test 2 — 30 Questions→Free PCSE Practice Test 3 — 30 Questions→PCSE Practice Questions 1 — 50 Questions→PCSE Practice Questions 2 — 50 Questions→PCSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuring network securityConfiguring access within a cloud solution environmentEnsuring data protectionManaging operations in a cloud solution environmentSupporting compliance requirements

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Configuring access within a cloud solution environment setsAll Configuring access within a cloud solution environment questionsPCSE Practice Hub