Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Managing operations in a cloud solution environment practice sets

PCSE Managing operations in a cloud solution environment • Complete Question Bank

PCSE Managing operations in a cloud solution environment — All Questions With Answers

Complete PCSE Managing operations in a cloud solution environment question bank — all 0 questions with answers and detailed explanations.

109
Questions
Free
No signup
Certifications/PCSE/Practice Test/Managing operations in a cloud solution environment/All Questions
Question 1mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security engineer needs to investigate a potential data exfiltration incident in a Google Cloud environment. The engineer has access to Cloud Logging and wants to identify any unusual outbound network traffic from Compute Engine instances. Which log sink filter should the engineer create to capture VPC flow logs for traffic destined to an external IP address not in the internal network ranges?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company runs a sensitive application on Google Kubernetes Engine (GKE) with Workload Identity enabled. Security policy requires that only pods with a specific service account can access a Cloud Storage bucket containing customer data. The bucket has uniform bucket-level access enabled. What is the correct combination of IAM bindings to achieve this?

Question 3easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is tasked with automating the remediation of non-compliant resources in a Google Cloud organization. The organization uses Organization Policy Service to enforce constraints. The engineer needs to automatically disable a specific service (e.g., Compute Engine API) for a project that violates a policy. Which Google Cloud service should be used to trigger this remediation?

Question 4mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company is migrating to Google Cloud and wants to ensure that all service account keys are rotated automatically every 90 days. The security engineer needs to implement a solution that detects keys older than 90 days and notifies the security team. What is the most efficient way to achieve this?

Question 5hardmultiple choice
Read the full VPN explanation →

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project uses Cloud Storage and BigQuery. The engineer wants to ensure that data cannot be exfiltrated to external IP addresses outside the perimeter, but internal users should still be able to access the data from on-premises via a VPN. Which configuration should be applied?

Question 6mediummulti select
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is investigating a potential data breach in a Google Cloud environment. The engineer suspects that a compromised service account key was used to access Cloud Storage buckets. Which TWO actions should the engineer take immediately to mitigate the risk?

Question 7hardmulti select
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is designing a solution to monitor and detect anomalous IAM role usage across multiple Google Cloud projects. The engineer wants to create a centralized logging solution that captures all IAM policy changes and access attempts. Which THREE services should the engineer use together to achieve this?

Question 8easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is reviewing a log entry in Cloud Logging with the above filter. The engineer wants to understand why this specific log entry was generated. Which action most likely caused this log entry?

Exhibit

Refer to the exhibit.

```
resource.type = "gce_instance"
resource.labels.instance_id = "1234567890123456789"
severity = "ERROR"
log_name = "projects/my-project/logs/compute.googleapis.com%2Factivity_log"
```
Question 9mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is reviewing the IAM policy of a Cloud Storage bucket that contains sensitive data. The exhibit shows the current policy. A developer reports that they can read objects in the bucket using service account sa-2, but they cannot delete objects. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "serviceAccount:sa-1@project.iam.gserviceaccount.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "serviceAccount:sa-2@project.iam.gserviceaccount.com"
      ]
    }
  ]
}
```
Question 10mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company runs a critical application on Compute Engine instances in a managed instance group (MIG) behind an external TCP/UDP Network Load Balancer. The security team requires that all traffic to the instances be inspected by a third-party next-generation firewall (NGFW) that is not yet deployed. Which architecture should the security engineer implement to meet the requirement with minimal disruption to traffic?

Question 11hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is designing a VPC Service Controls perimeter to protect a project containing sensitive data stored in Cloud Storage and BigQuery. The perimeter currently allows access from an on-premises data center via private connectivity (Cloud Interconnect). The business requires that a third-party SaaS application (outside the perimeter) be able to write data into a specific Cloud Storage bucket. Which action should the engineer take?

Question 12easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

An organization uses Cloud Audit Logs to monitor admin activity. The security team wants to be alerted when a user creates a new IAM role at the organization level. Which type of audit log should they analyze?

Question 13mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company is migrating its on-premises Microsoft Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They need to ensure that users can authenticate to Compute Engine Windows instances using their on-premises credentials without additional user setup. What is the most secure and scalable approach?

Question 14hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is troubleshooting a connectivity issue between two VPCs connected via VPC Network Peering. VPC-A (project A) has a Compute Engine instance with internal IP 10.1.0.2. VPC-B (project B) has an instance with internal IP 10.2.0.2. The engineer has verified that the peering connection is active and the firewall rules allow ingress from 10.1.0.0/16. However, the instance in VPC-B cannot ping the instance in VPC-A. What is the most likely cause?

Question 15easymulti select
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is configuring Cloud Armor to protect a global external HTTP(S) Load Balancer. Which TWO of the following are valid Cloud Armor security policies? (Choose two.)

Question 16mediummulti select
Read the full Managing operations in a cloud solution environment explanation →

An organization wants to enforce data loss prevention (DLP) for sensitive data stored in Cloud Storage. Which THREE of the following Google Cloud services can be used together to inspect, classify, and automatically redact sensitive data in Cloud Storage? (Choose three.)

Question 17hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Refer to the exhibit. A security engineer runs the command to view recent decrypt operations on a Cloud KMS key. The output shows a successful decryption. However, the engineer is concerned about the exposure of the plaintext. Based on the log entry, what is the most accurate statement regarding the visibility of the decrypted plaintext?

Exhibit

Refer to the exhibit.

```
$ gcloud logging read "logName=projects/my-project/logs/cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName=google.cloud.kms.v1.Decrypt" --limit 5

---
insertId: 1a2b3c4d5e
logName: projects/my-project/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
  @type: type.googleapis.com/google.cloud.audit.AuditLog
  authenticationInfo:
    principalEmail: user@example.com
  methodName: google.cloud.kms.v1.Decrypt
  resourceName: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1
  response:
    plaintext: "REDACTED"
  serviceName: cloudkms.googleapis.com
  status: {}
resource:
  labels:
    key_id: my-key
    location: global
    key_ring: my-keyring
  type: cloudkms_crypto_key
severity: NOTICE
```
Question 18easymultiple choice
Read the full NAT/PAT explanation →

A security engineer is troubleshooting an issue where a Compute Engine VM cannot connect to a Cloud SQL instance that has a private IP address. Both resources are in the same VPC network. The VM's firewall rules allow egress to any destination, and the Cloud SQL instance's authorized networks include the VPC network. What is the most likely cause of the connection failure?

Question 19mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company is using Cloud Armor to protect their HTTP(S) load balancer. They have configured a security policy with a rule to block traffic from a specific IP address (10.0.0.1/32). During testing, they observe that requests from that IP are still reaching the backend. What is the most likely reason?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company runs a PCI DSS-compliant workload on Google Cloud. They use a service account with roles/container.clusterAdmin to manage a GKE cluster. The security team has enabled Binary Authorization with a policy that requires all container images to be signed by a trusted authority. Recently, a developer reported that a new deployment failed with the error: 'Image verification failed: no signature found for digest sha256:abc...'. The image is stored in Artifact Registry and the developer built it using Cloud Build with a trigger that automatically signs images using Cloud KMS. The Cloud Build service account has roles/cloudkms.signerVerifier and roles/binaryauthorization.attestorsViewer. The Binary Authorization policy is configured to require at least one attestation from the trusted attestor. What is the most likely reason for the failure?

Question 21hardmultiple choice
Read the full VPN explanation →

A large enterprise is migrating its on-premises Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They have established a VPN connection between their on-premises network and VPC. The domain controllers are fully synced, and users can authenticate from on-premises. However, applications running on Compute Engine VMs in the same VPC as Managed Microsoft AD are failing to authenticate using LDAP. The VMs are Linux-based and configured to use the Managed Microsoft AD domain for authentication via SSSD. The security team has verified that the firewall rules allow TCP/UDP 389 and 636 from the VMs to the Managed Microsoft AD IP addresses. The VMs can resolve the domain name (corp.example.com) to the correct IP of the Managed Microsoft AD domain controllers. What is the most likely cause of the authentication failure?

Question 22mediummulti select
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is investigating an incident where an attacker gained access to a Compute Engine instance's serial console logs, which contained sensitive data. Which TWO actions should the engineer take to prevent this type of exposure in the future? (Choose TWO.)

Question 23easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Your organization has a multi-project environment with centralized logging in a dedicated project (logging-project). All VPC Service Controls perimeters are configured correctly. The security team needs to ensure that all audit logs from all projects are retained for 5 years and cannot be deleted or modified by any project administrator. They also want to restrict access to the logs to only the security team members (who have the 'Security Reviewer' role at the organization level). Currently, each project has its own log sink that exports to a BigQuery dataset in logging-project. The security team notices that some project administrators have inadvertently deleted logs from their project's BigQuery dataset. You need to recommend a solution that prevents log deletion and enforces the retention policy. What should you do?

Question 24mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to set up a Cloud VPN with a static route in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 25mediumdrag order
Read the full Managing operations in a cloud solution environment explanation →

Drag and drop the steps to set up a binary authorization policy for a GKE cluster in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 26mediummatching
Read the full Managing operations in a cloud solution environment explanation →

Match each VPC firewall rule component to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Ingress or egress traffic direction

CIDR blocks for incoming traffic

VM instance tags that rule applies to

Rule evaluation order (lower number = higher priority)

Allow or deny traffic

Question 27mediummatching
Read the full Managing operations in a cloud solution environment explanation →

Match each security command center tier to its capabilities.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Free, includes basic vulnerability scanning and findings

Paid, includes threat detection, event threat detection, and container threat detection

Paid, includes all Premium features plus security posture, asset inventory, and compliance

Built-in vulnerability scanning and misconfiguration detection

Detects threats from Cloud Logging and DNS logs

Question 28easymultiple choice
Review the full subnetting walkthrough →

A security engineer is troubleshooting a VPC firewall rule that is not allowing traffic from a specific subnet to a Compute Engine instance. The target tag is set correctly. What is the most likely cause?

Question 29easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company uses Cloud Armor to protect their HTTP Load Balancer. They want to block requests from a specific IP range during a DDoS attack. What is the most efficient way to implement this?

Question 30easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

An organization's security policy requires that all audit logs be stored in a separate project for centralized monitoring. Which Google Cloud service should be used to aggregate logs from multiple projects?

Question 31mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security engineer notices that a service account has been granted the 'roles/editor' role on a project. According to least privilege, what is the best course of action?

Question 32mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company uses Cloud Functions and wants to ensure that only authorized services can invoke them. The functions are triggered via HTTP. What is the best way to achieve this?

Question 33mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

During an incident, a security engineer needs to isolate a compromised Compute Engine instance for forensic analysis without losing evidence. What should they do first?

Question 34hardmultiple choice
Read the full VPN explanation →

An organization uses Cloud VPN tunnels to connect multiple VPCs. They need to record all network metadata for compliance audits without affecting throughput. What is the most effective approach?

Question 35hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

During a security incident, a security engineer needs to revoke a compromised service account's access across all resources immediately. However, the service account has many roles across different projects. What is the most effective immediate step?

Question 36hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company uses Cloud Identity-Aware Proxy (IAP) to secure access to their web applications. They notice that some users are able to access the application even though they are not in the IAP access policy. What could be the cause?

Question 37easymulti select
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is configuring VPC Service Controls to protect a service perimeter. Which TWO conditions must be met for a request to be allowed across the perimeter? (Choose TWO.)

Question 38mediummulti select
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is designing a logging and monitoring strategy to meet compliance requirements. Which THREE services should be integrated to ensure log data is tamper-proof and available for analysis? (Choose THREE.)

Question 39hardmulti select
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is responding to a data breach where an attacker exfiltrated data from a Cloud Storage bucket. Which TWO steps should the engineer take to contain the breach and preserve evidence? (Choose TWO.)

Question 40easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

An engineer notices that traffic on port 80 is not reaching instances with the tag 'http-server'. The instances have external IPs and are in the default VPC. What could be the reason?

Exhibit

Refer to the exhibit.

{
  "name": "allow-http-s-https-all-instances",
  "network": "projects/my-project/global/networks/default",
  "priority": 1000,
  "sourceRanges": ["0.0.0.0/0"],
  "targetTags": ["http-server", "https-server"],
  "allowed": [
    {"IPProtocol": "tcp", "ports": ["80","443"]}
  ],
  "direction": "INGRESS"
}
Question 41mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security engineer is reviewing an IAM policy for a Cloud Storage bucket. The engineer wants to ensure that the service account 'sa@project.iam.gserviceaccount.com' can only read objects. What is the current effective permission?

Exhibit

Refer to the exhibit.

{
  "bindings": [
    {
      "role": "roles/storage.objectAdmin",
      "members": ["user:admin@example.com"]
    },
    {
      "role": "roles/storage.objectViewer",
      "members": ["user:viewer@example.com", "serviceAccount:sa@project.iam.gserviceaccount.com"]
    }
  ]
}
Question 42hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

During an incident, a security engineer finds this audit log entry. What action was taken and by whom?

Exhibit

Refer to the exhibit.

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "serviceName": "compute.googleapis.com",
    "methodName": "v1.compute.instances.delete",
    "resourceName": "projects/my-project/zones/us-central1-a/instances/instance-1",
    "authenticationInfo": {
      "principalEmail": "admin@example.com"
    },
    "authorizationInfo": [
      {
        "resource": "projects/my-project/zones/us-central1-a/instances/instance-1",
        "permission": "compute.instances.delete",
        "granted": true,
        "resourceAttributes": {}
      }
    ],
    "request": {
      "instance": "instance-1"
    }
  }
}
Question 43easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with several subnets. They want to restrict traffic between instances in the same subnet using firewall rules while allowing traffic from a specific load balancer health check range. What is the best approach?

Question 44hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security administrator needs to audit all changes to IAM policies across the organization. They want to detect when a policy binding is added that grants a sensitive role to a user outside the organization. What is the most efficient method?

Question 45easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A developer accidentally deleted a Cloud SQL instance. The organization has automated backups enabled. How can the DBA restore the instance?

Question 46mediummulti select
Read the full Managing operations in a cloud solution environment explanation →

A company uses Cloud Armor to protect their HTTP(S) load balancer. They want to block requests from a specific geographic region. Which TWO actions should they take? (Choose 2)

Question 47hardmulti select
Read the full Managing operations in a cloud solution environment explanation →

An organization wants to ensure that all service accounts used by Compute Engine instances have the minimal permissions required. Which TWO practices should be implemented? (Choose 2)

Question 48mediummulti select
Read the full Managing operations in a cloud solution environment explanation →

Your organization uses Cloud Key Management Service (KMS) to encrypt data at rest. You need to rotate keys automatically every 90 days. Which THREE steps are required? (Choose 3)

Question 49mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Refer to the exhibit. A VM in the default network with internal IP 10.128.0.5 is unable to reach a VM at 10.0.0.4 over TCP port 22. What is the most likely cause?

Exhibit

$ gcloud compute firewall-rules list --format="table(name, network, priority, allow, sourceRanges)"
NAME         NETWORK    PRIORITY  ALLOW              SOURCE_RANGES
allow-http   default    1000      tcp:80             0.0.0.0/0
allow-https  default    1000      tcp:443            0.0.0.0/0
deny-all     default    2000      tcp:0-65535        10.0.0.0/8
default-allow-internal default 65534 tcp:0-65535,udp:0-65535,icmp  10.128.0.0/9
Question 50hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Refer to the exhibit. This IAM policy is applied to a Google Cloud Storage bucket. Alice reports she cannot delete objects in the bucket. Bob can delete objects. What is the most likely reason?

Exhibit

{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "user:bob@example.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "serviceAccount:my-sa@project.iam.gserviceaccount.com"
      ]
    }
  ],
  "etag": "BwXq..."
}
Question 51easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Refer to the exhibit. A user tries to create a Compute Engine instance using a custom image from another project. What is the most likely cause of the error?

Exhibit

ERROR: (gcloud.compute.instances.create) Could not fetch resource:
 - Invalid value for field 'resource.disks[0].initializeParams.sourceImage': 'projects/other-project/global/images/family/my-image'. The referenced image family does not exist in project 'other-project'.
Question 52easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Which service provides a centralized view of all resource configurations and IAM policies across projects?

Question 53mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer needs to ensure that all compute instances are patched with the latest security updates. What is the recommended approach?

Question 54hardmultiple choice
Read the full NAT/PAT explanation →

An organization uses Cloud NAT to allow private instances to access the internet. They notice that some connections are failing intermittently. What is a common cause?

Question 55easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A junior developer created a service account with the roles/storage.admin role and downloaded a JSON key. What is the best practice to improve security?

Question 56hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company has a multi-project setup with a shared VPC. They want to centrally audit all firewall rule changes. What is the most efficient way?

Question 57mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security analyst wants to detect when a user creates a Compute Engine instance with a public IP address in a sensitive project. What is the best method?

Question 58mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company is using Cloud Monitoring to track latency of a microservice. They notice a sudden spike in the 99th percentile latency but no change in request count. What is the most likely cause?

Question 59easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security engineer wants to ensure that all API calls to Google Cloud services are logged for audit purposes. Which service should they enable?

Question 60hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Your organization uses Cloud Armor to protect against web attacks. After a change to the security policy, legitimate traffic from certain IPs is being blocked. You need to quickly allow that traffic while preserving the security policy. What should you do?

Question 61hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Your Cloud SQL PostgreSQL instance is experiencing high replication lag between primary and read replica. You have verified the network and instance metrics. What is a likely cause?

Question 62easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A DevOps team wants to automatically scale a managed instance group based on CPU utilization. Which metric should they use in the autoscaler?

Question 63mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security operations team is using Cloud Audit Logs to investigate a suspicious data export from a Cloud Storage bucket. They need to see which user accessed a specific object and when. Which log type should they examine?

Question 64hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Your organization uses Cloud CDN to distribute static content. Recently, users in a specific geographic region are experiencing high latency. What is the most likely cause?

Question 65easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A Cloud Function is timing out. What is the maximum timeout for a Cloud Function (1st gen)?

Question 66mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company is using Cloud Composer (Airflow) to orchestrate data pipelines. A DAG is failing with a 'Task received SIGTERM' error. What is the most likely cause?

Question 67easymulti select
Read the full Managing operations in a cloud solution environment explanation →

Which TWO actions should you take to reduce the attack surface of a Compute Engine VM? (Choose 2.)

Question 68hardmulti select
Read the full Managing operations in a cloud solution environment explanation →

Which TWO techniques can be used to secure a Cloud Storage bucket containing sensitive data? (Choose 2.)

Question 69easymulti select
Read the full Managing operations in a cloud solution environment explanation →

Which THREE components are customer responsibilities under the Google Cloud Shared Responsibility Model for IaaS? (Choose 3.)

Question 70easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company is experiencing high latency on their HTTPS Load Balancer. Which action is most likely to resolve the issue?

Question 71easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company needs to isolate development and production workloads within the same Google Cloud organization. Each environment must have its own VPC network, but they must share a common set of network security policies. Which design meets these requirements?

Question 72easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security team needs to centrally manage secrets for multiple Google Cloud projects. Which solution should they use?

Question 73easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Users are reporting 502 Bad Gateway errors when accessing an application behind an external HTTPS Load Balancer. What is the most likely cause?

Question 74mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A global company must store customer data in a specific geographic region to comply with data residency regulations. The database needs strong transactional consistency and low-latency reads worldwide. Which database solution should they choose?

Question 75mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company runs a batch processing workload on Compute Engine VMs for 6 months. They want to reduce costs without sacrificing performance. Which option should they implement?

Question 76hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A Cloud Function that processes financial data is timing out after 60 seconds. The function performs complex calculations and cannot be decomposed further. What is the best solution?

Question 77hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company requires a secure, dedicated connection between their on-premises data center and Google Cloud with bandwidth of 10 Gbps and a 99.99% SLA. Which connectivity option should they use?

Question 78hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A DevOps team wants to centralize logging and monitoring for a GKE cluster that runs hundreds of microservices. They need to view logs, metrics, and traces in a single dashboard. Which approach should they use?

Question 79easymulti select
Read the full Managing operations in a cloud solution environment explanation →

Which TWO Google Cloud services are serverless compute platforms that let you run code without managing servers?

Question 80hardmulti select
Read the full Managing operations in a cloud solution environment explanation →

Which THREE steps are most effective for troubleshooting a VPC firewall rule issue where desired traffic is being blocked?

Question 81mediummulti select
Read the full Managing operations in a cloud solution environment explanation →

Which TWO are benefits of using Cloud Armor with a global external HTTPS Load Balancer?

Question 82mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Refer to the exhibit. A developer working from a workstation with IP 203.0.113.5 cannot SSH to a VM in the my-vpc network. Which firewall rule is most likely blocking the connection?

Exhibit

NAME                    NETWORK  DIRECTION  PRIORITY  ALLOW   DENY   SOURCE_RANGES
default-allow-http      my-vpc   INGRESS    1000      tcp:80         0.0.0.0/0
default-allow-ssh       my-vpc   INGRESS    1000      tcp:22         0.0.0.0/0
deny-ssh-all            my-vpc   INGRESS    200               tcp:22  0.0.0.0/0
allow-ssh-from-bastion  my-vpc   INGRESS    500       tcp:22        10.0.1.2/32
Question 83hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Refer to the exhibit. A user jane@example.com receives a 403 Access Denied error when trying to list objects in a Cloud Storage bucket. What is the most likely cause?

Exhibit

{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": ["user:jane@example.com"],
      "condition": {
        "title": "IP restriction",
        "expression": "request.headers['x-forwarded-for'].startsWith('10.0.0.')"
      }
    }
  ]
}
Question 84mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Refer to the exhibit. A Cloud Run service fails to start and shows the above error. What is the most likely cause?

Exhibit

Error: Container failed to start. Failed to start and then listen on the port defined by the PORT environment variable.
Question 85easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company uses Cloud Monitoring to track latency on their Compute Engine instances. They notice a spike in latency every day at 2:00 PM. The operations team wants to automate the creation of a support ticket when this spike occurs. What should they do?

Question 86easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security administrator needs to ensure that all service account keys older than 90 days are automatically disabled to reduce the risk of key compromise. Which Google Cloud service should be used to implement this policy?

Question 87easymultiple choice
Review the full subnetting walkthrough →

A company wants to monitor for suspicious login attempts across all their Google Cloud projects. They want to send a real-time Slack notification when a login fails from an IP address outside their corporate CIDR range. What is the most efficient way to achieve this?

Question 88mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

An organization has hundreds of Google Cloud projects and wants to enforce a uniform firewall rule that blocks outbound traffic to known malicious IP addresses. They want to centrally manage this rule without manually applying it to each VPC. What should they do?

Question 89mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A security engineer receives an alert from Cloud Security Command Center (Cloud SCC) about a resource that is publicly accessible. The engineer identifies that the resource is a Cloud Storage bucket containing sensitive data. After making the bucket private, what is the next best step to prevent recurrence?

Question 90mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company uses Cloud SQL for PostgreSQL and needs to ensure that database backups are retained for 30 days for compliance. They also want to be able to perform point-in-time recovery for the last 24 hours. What configuration should they use?

Question 91hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A large enterprise has a security command center that uses SIEM to analyze logs. They are migrating to Google Cloud and want to export all Cloud Audit Logs (Admin Activity, Data Access, and System Events) from all projects into a centralized BigQuery dataset for analysis. They also need to ensure logs are available within 5 minutes of being generated. Which sink configuration should they use?

Question 92hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company uses a multi-region Cloud Storage bucket for disaster recovery of critical data. They want to prevent accidental deletion of objects by requiring that objects be retained for at least 7 days after creation, and any attempt to delete or overwrite an object during that period must fail. Which configuration meets these requirements?

Question 93hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

During a security incident, the forensic team needs to capture the memory and disk state of a compromised Compute Engine VM without shutting it down. The VM is running a critical application and cannot be stopped. What is the best approach to gather forensic data?

Question 94easymulti select
Read the full Managing operations in a cloud solution environment explanation →

Which TWO of the following are valid methods to automate responses to Cloud Security Command Center findings?

Question 95mediummulti select
Read the full Managing operations in a cloud solution environment explanation →

Which THREE of the following are recommended practices for managing secrets in Google Cloud?

Question 96hardmulti select
Read the full Managing operations in a cloud solution environment explanation →

Which TWO of the following are true regarding Cloud Audit Logs?

Question 97easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A small startup recently moved their infrastructure to Google Cloud. They have a single project with a few Compute Engine instances running a web application. The security team wants to ensure that all SSH access to the instances is audited and that any failed SSH attempts are alerted in real time. They have enabled OS Login and are using Cloud Identity-Aware Proxy (IAP) for SSH access. However, they are not sure how to capture the audit logs for SSH sessions. What should they do?

Question 98mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation operates multiple Google Cloud projects across several folders. They have a security requirement to enforce that all Cloud Storage buckets are created with uniform bucket-level access enabled and that no bucket has public access. They want to automatically remediate any non-compliant bucket that violates these policies. Currently, they use Organization Policies to enforce uniform bucket-level access, but they still find some buckets with public access due to exceptions. They have Cloud Security Command Center (Cloud SCC) enabled and receive findings about public buckets. The operations team wants to build a solution that automatically disables public access on non-compliant buckets. Which approach should they take?

Question 99hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A large financial institution runs a critical application on Google Kubernetes Engine (GKE) clusters. Their security policy requires that all container images must be scanned for vulnerabilities and must come from a trusted artifact registry. They use Cloud Build to automatically build images from a CI/CD pipeline and push them to Artifact Registry. They want to enforce that only images that have passed vulnerability scanning and are signed can be deployed to the GKE cluster. Currently, they have set up Cloud Build to automatically tag images with a 'latest' tag on successful build, but they need a mechanism to prevent deployment of unsigned or vulnerable images. They also want to audit any attempts to deploy non-compliant images. What should they do?

Question 100mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company is using Cloud SQL for MySQL in production. They notice that during peak hours, query latency increases significantly. The database is running on a db-n1-standard-2 instance with 100GB SSD. The CPU utilization spikes to 95% during peaks. The application uses connection pooling. Which action should the company take to improve performance while minimizing cost?

Question 101hardmulti select
Read the full Managing operations in a cloud solution environment explanation →

A company is implementing a zero-trust network architecture on Google Cloud. They want to ensure that all traffic between their on-premises data center and Google Cloud is encrypted and authenticated. Additionally, they need to support high availability across multiple regions. Which two Google Cloud services should they use? (Choose two.)

Question 102easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company uses Cloud Storage buckets to store customer uploads. Recently, a customer reported that a file they uploaded yesterday is missing. The bucket has object versioning enabled. The security team wants to investigate how the file went missing and whether any other files have been affected. The company's compliance requirements mandate that all object deletions must be logged and reviewed. What should the admin do first to investigate the missing file?

Question 103easymultiple choice
Read the full NAT/PAT explanation →

A startup is deploying a containerized application on Google Kubernetes Engine (GKE). The application is stateless and experiences variable traffic patterns, with periodic spikes during promotional events. The startup wants to minimize costs while ensuring the application can handle the variable load without performance degradation. They also prefer to automate scaling as much as possible. Which GKE configuration should they choose?

Question 104mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A company runs a multi-tier application on Compute Engine behind an external HTTP(S) Load Balancer. The backend consists of a managed instance group for the application tier and a Cloud Storage bucket for static assets. During peak traffic, some users receive HTTP 503 errors. The backend instances are healthy and the load balancer shows no connection errors. The company has already enabled Cloud CDN for the backend bucket. What should they do to resolve the 503 errors?

Question 105mediummultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A financial firm uses Cloud Deployment Manager to manage their Google Cloud infrastructure. They have a strict change management policy requiring that all infrastructure changes in the production environment must be reviewed and approved by a senior engineer before being applied. Currently, developers can modify the Deployment Manager configurations directly, leading to unapproved changes. The company wants to enforce this policy without impacting development agility. What should they implement?

Question 106hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

A large enterprise runs a streaming data pipeline using Dataflow to process events from Pub/Sub, apply aggregations with fixed windows, and write results to BigQuery. They are experiencing high costs and long processing times. The Dataflow job uses Streaming Engine, but the workers show high CPU utilization. The pipeline has autoscaling enabled, but the number of workers rarely increases. The team wants to reduce processing time and cost. What should they do?

Question 107mediummulti select
Read the full Managing operations in a cloud solution environment explanation →

A company is using Cloud Run for a containerized application. They notice increased latency during peak hours. The operations team wants to identify the root cause. Which two steps should they take?

Question 108hardmultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Refer to the exhibit. An operations engineer configured this alert policy to notify when any VM instance in project my-project has high CPU utilization. However, no notifications are received even when CPU is consistently above 90% on multiple instances in us-central1-a. What is the most likely cause?

Exhibit

Refer to the exhibit.

```yaml
# monitoring alert policy
combiner: OR
conditions:
- conditionThreshold:
    filter: resource.type="gce_instance" AND metric.type="compute.googleapis.com/instance/cpu/utilization"
    aggregations:
    - alignmentPeriod: 60s
      perSeriesAligner: ALIGN_RATE
    duration: 300s
    comparison: COMPARISON_GT
    thresholdValue: 0.8
    trigger:
      count: 1
  displayName: CPU > 80%
- conditionMonitoringQueryLanguage:
    query: |
      fetch gce_instance
      | metric 'compute.googleapis.com/instance/cpu/utilization'
      | filter resource.zone == 'us-central1-a'
      | group_by [resource.instance_id], 60s, [value_utilization_mean: mean(value.utilization)]
      | every 60s
      | condition value_utilization_mean > 0.9
    duration: 0s
    trigger:
      count: 1
  displayName: High average CPU per instance
documentation:
  content: |
    Alert when CPU is high.
  mime_type: text/markdown
```
Question 109easymultiple choice
Read the full Managing operations in a cloud solution environment explanation →

Your company runs a production application on Google Kubernetes Engine (GKE) with a Regional cluster. The application uses a custom domain with TLS certificates that are stored as Kubernetes secrets and mounted into the ingress. The certificates expire every 90 days and are currently renewed manually by a DevOps engineer. Last week, the certificate expired, causing an outage until it was renewed. Management requires an automated solution to renew certificates before expiration. The team wants to minimize changes to the existing architecture and avoid additional costs. What should you do?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCSE Practice Test 1 — 10 Questions→PCSE Practice Test 2 — 10 Questions→PCSE Practice Test 3 — 10 Questions→PCSE Practice Test 4 — 10 Questions→PCSE Practice Test 5 — 10 Questions→PCSE Practice Exam 1 — 20 Questions→PCSE Practice Exam 2 — 20 Questions→PCSE Practice Exam 3 — 20 Questions→PCSE Practice Exam 4 — 20 Questions→Free PCSE Practice Test 1 — 30 Questions→Free PCSE Practice Test 2 — 30 Questions→Free PCSE Practice Test 3 — 30 Questions→PCSE Practice Questions 1 — 50 Questions→PCSE Practice Questions 2 — 50 Questions→PCSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuring network securityConfiguring access within a cloud solution environmentEnsuring data protectionManaging operations in a cloud solution environmentSupporting compliance requirements

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Managing operations in a cloud solution environment setsAll Managing operations in a cloud solution environment questionsPCSE Practice Hub