Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Configuring Access Within a Cloud Solution Environment practice sets

PCSE Configuring Access Within a Cloud Solution Environment • Complete Question Bank

PCSE Configuring Access Within a Cloud Solution Environment — All Questions With Answers

Complete PCSE Configuring Access Within a Cloud Solution Environment question bank — all 0 questions with answers and detailed explanations.

135
Questions
Free
No signup
Certifications/PCSE/Practice Test/Configuring Access Within a Cloud Solution Environment/All Questions
Question 1mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to prevent users from creating service account keys in a Google Cloud project. The solution must be enforceable across all projects in the organization and should not block other IAM operations. Which approach should they use?

Question 2mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization uses Active Directory (AD) on-premises and wants to synchronize user accounts and groups to Google Cloud Identity for SSO with SAML 2.0. The AD contains 50,000 users and 10,000 groups. The solution must support automatic provisioning and deprovisioning of users. Which tool should they use?

Question 3easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A developer wants to grant a Compute Engine instance access to read objects from a Cloud Storage bucket. The instance runs under a service account. What is the best practice for granting this access?

Question 4hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company has multiple Google Cloud projects organized under folders by department. The security team wants to enforce a policy that all Compute Engine instances must use Shielded VM features. They need to prevent non-compliant instances from being created. Which action should be taken to enforce this requirement most effectively?

Question 5easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

What is the purpose of Identity-Aware Proxy (IAP) on Google Cloud?

Question 6mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A DevOps team uses GitHub Actions to deploy infrastructure to Google Cloud. They want to avoid storing long-lived service account keys. Which approach should they use to authenticate from GitHub Actions to Google Cloud?

Question 7mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization has set up IAP to protect a web application running on Compute Engine. The application needs to know the authenticated user's email address for logging. How can the application securely obtain this information?

Question 8hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer wants to ensure that only users from a specific external identity provider (IdP) domain (example.com) can access Google Cloud resources. They have configured SAML SSO with the IdP. However, users from other domains are also able to access resources. What is the most effective way to restrict access to only users from example.com?

Question 9easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to use Google Cloud resources but does not have a Google Workspace or Cloud Identity account. They want to manage identities for their users without paying for additional licenses. What is the most cost-effective identity solution?

Question 10mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A developer needs to create a custom IAM role that allows only a specific set of permissions for managing Cloud SQL instances. The role should be available at the organization level. Which command should they use?

Question 11hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company has a GKE cluster with a Kubernetes Service Account (KSA) that needs to access Cloud Storage. They want to bind the KSA to a Google Cloud service account (GCP SA) so that pods running under the KSA inherit the GCP SA's permissions. They have enabled Workload Identity on the cluster. What is the correct step to bind the KSA to the GCP SA?

Question 12mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security administrator wants to prevent users from disabling Shielded VM on existing Compute Engine instances. Which IAM permission should they deny?

Question 13mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company uses Google Cloud Directory Sync (GCDS) to synchronize users from an on-premises Active Directory to Cloud Identity. The security team wants to ensure that only synchronized users can access Google Cloud resources. Which TWO actions are part of a secure configuration? (Choose two.)

Question 14hardmulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A financial services company is migrating to Google Cloud and needs to enforce strict security controls. They want to ensure that: 1) No service account keys are created. 2) All Compute Engine instances must be created with Shielded VM enabled. 3) Only users from the corporate domain (example.com) can be granted IAM roles. Which THREE Organization Policy constraints must be used? (Choose three.)

Question 15mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A cloud architect is designing a multi-project environment in Google Cloud. They want to ensure that a specific folder-level IAM policy cannot be overridden by project-level policies. Which TWO statements about IAM policy inheritance and deny policies are correct? (Choose two.)

Question 16mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer wants to ensure that all Compute Engine VMs in an organization use Shielded VM features. The organization uses Cloud Identity as the identity provider. What is the most efficient way to enforce this requirement?

Question 17easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A development team needs to grant a third-party auditor read-only access to a specific project's resources but must not allow the auditor to view any data stored in Cloud Storage buckets. Which IAM approach should be used?

Question 18mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization uses Google Workspace for email and collaboration. They want to allow employees to sign in to a custom web application using their Google Workspace credentials. The application runs on Compute Engine and uses a PostgreSQL database. Which identity solution should they implement?

Question 19hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company runs a batch job on Compute Engine that processes sensitive data. The job uses a service account with a JSON key file stored on the VM. A security audit recommends removing long-lived keys. The job must run unattended. What is the best alternative?

Question 20mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to allow an external auditor to view all IAM policies in a project but not modify them. The auditor's Google account is from a different domain. Which IAM role should be assigned?

Question 21easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

Which of the following is a key advantage of using Workload Identity Federation over service account keys for authenticating workloads running on AWS?

Question 22mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A DevOps engineer needs to create a custom IAM role that allows creating and deleting Compute Engine instances but not stopping or starting them. Which permissions should be included?

Question 23hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization has multiple GCP projects under a folder. They want to prevent all users from creating service account keys in any project under that folder. They also want to allow exceptions for a specific project where key creation is needed. Which approach should they take?

Question 24easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

Which of the following is true about IAM deny policies?

Question 25mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company uses Cloud Identity to manage users and groups. They want to synchronize users from their on-premises Active Directory to Cloud Identity. Which tool should they use?

Question 26hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A GKE cluster runs workloads that need to access Cloud Storage. The security team wants to avoid using service account keys and ensure each pod has a unique identity. What is the best practice?

Question 27mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization wants to allow users to access a web application running on Compute Engine via HTTPS. The application requires users to authenticate with their corporate credentials (SAML 2.0 IdP). Which Google Cloud service should be used?

Question 28mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to enforce that only users from a specific domain (example.com) can be granted IAM roles on any resource in their organization. Which two steps are required? (Choose two.)

Question 29hardmulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to ensure that all Compute Engine instances in an organization are created with specific CMEK (Customer-Managed Encryption Key) for disk encryption. The engineer wants to enforce this at the organization level. Which three actions are required? (Choose three.)

Question 30easymulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A developer wants to allow a CI/CD pipeline running on GitHub Actions to deploy resources to a GCP project without using service account keys. Which two components are needed? (Choose two.)

Question 31easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer is configuring access for a new team member who needs to manage Cloud Storage buckets, but should not be able to delete or modify existing objects. Which IAM role should be assigned?

Question 32mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization uses Cloud Identity with a third-party IdP via SAML 2.0. A security engineer needs to enforce that all Google Cloud access requires multi-factor authentication (MFA) from the IdP. What is the recommended approach?

Question 33hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company has multiple projects under an organization node. A security engineer needs to deny all principals in the organization from creating service account keys, except for a specific project where it must be allowed. Which approach should be used?

Question 34mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A developer wants to run a containerized application on GKE that needs to read from a Cloud Storage bucket. The developer needs to securely provide credentials. What is the recommended approach?

Question 35easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization needs to grant a contractor access to a specific project for 30 days, with the ability to start and stop Compute Engine instances but not delete them. Which IAM role should be used?

Question 36hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company uses SAML 2.0 federation with an external IdP. Users are synced from Active Directory to Cloud Identity using Google Cloud Directory Sync (GCDS). The security engineer needs to ensure that only users from a specific Active Directory group can access Google Cloud resources. What should be configured?

Question 37mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to grant a DevOps team the ability to deploy and manage Cloud Run services, but they should not be able to modify IAM policies or delete the service. Which predefined role should be assigned?

Question 38mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An application running on Compute Engine needs to authenticate to Google Cloud APIs. The security engineer wants to avoid managing keys. What is the recommended method?

Question 39hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company needs to allow developers to create and manage custom IAM roles at the project level, but restrict the permissions that can be added to those roles to a predefined list. What should be used?

Question 40easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to configure Identity-Aware Proxy (IAP) for a web application running on Compute Engine. The goal is to ensure that only authenticated users from the corporate domain can access the application. What is the first step in the configuration?

Question 41mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer is configuring access for a service account used by a batch job that runs on Compute Engine. The job needs to read from a BigQuery dataset and write results to Cloud Storage. What is the recommended way to grant these permissions?

Question 42mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization wants to enforce that all new projects automatically have a specific set of IAM roles assigned to a security group. What is the best way to achieve this?

Question 43mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer is designing access control for a multi-project environment. The engineer needs to ensure that a data science team can read data from a BigQuery dataset in Project A and write results to a Cloud Storage bucket in Project B. The team members are authenticated via an external SAML IdP. Which TWO steps should be taken? (Choose 2 correct answers)

Question 44hardmulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company is using GKE with Workload Identity to allow pods to access Google Cloud services. A security engineer needs to restrict a specific pod to only read from a single Cloud Storage bucket. Which THREE steps should be taken? (Choose 3 correct answers)

Question 45mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to ensure that no one in the organization can disable or delete Cloud Key Management Service (Cloud KMS) keys, except for a designated security team. Which TWO approaches should be combined? (Choose 2 correct answers)

Question 46easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer wants to ensure that no IAM keys are created for service accounts in a Google Cloud organization. Which organization policy constraint should be applied?

Question 47mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization uses Azure Active Directory as its identity provider. They want to allow employees to access Google Cloud resources using their Azure credentials without provisioning Google Cloud user accounts. Which solution should they implement?

Question 48mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A developer needs to deploy an application on Compute Engine that reads from a Cloud Storage bucket. The engineer wants to avoid managing service account keys. What is the recommended approach to grant the necessary permissions?

Question 49hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company has a Google Cloud organization with multiple folders representing departments. The security team wants to enforce that all Compute Engine VMs in the organization must have Shielded VM enabled. Which approach should the team use to enforce this requirement?

Question 50mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A DevOps engineer wants to allow a CI/CD pipeline running in GitHub Actions to deploy resources to a Google Cloud project without using long-lived service account keys. What should the engineer implement?

Question 51easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

Which IAM role should be assigned to a user who needs to manage, but not create or delete, Cloud Storage buckets and objects in a specific project?

Question 52mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization uses Cloud Identity with Google Workspace. They want to grant a group of external auditors read-only access to a specific folder in Google Cloud. The auditors have accounts in the organization's Cloud Identity domain. What is the most efficient way to grant this access?

Question 53hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company has a Kubernetes cluster on GKE that runs a microservice. The microservice needs to read from a Cloud Spanner database. The security team requires that the microservice uses the principle of least privilege and that credentials are never stored as Kubernetes secrets. What is the recommended configuration?

Question 54mediummultiple choice
Read the full VPN explanation →

A company wants to allow users to access an internal web application running on Compute Engine behind a load balancer without requiring a VPN. The solution must authenticate users and enforce access based on user identity and context (e.g., device security). Which Google Cloud service should they use?

Question 55easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A project manager needs to create custom IAM roles for a project. At which levels in the resource hierarchy can custom roles be defined?

Question 56mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company has an organization policy that denies the use of certain GCP services unless the project is in a specific folder. The DevOps team wants to create a new project in that folder. However, the project creation fails. What is the most likely cause?

Question 57hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer notices that a service account has been assigned the roles/iam.serviceAccountUser role at the project level. What actions can a user with this role perform?

Question 58mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company has multiple Google Cloud projects under an organization. They want to ensure that only service accounts from their own Cloud Identity domain (example.com) can be used in IAM policies. Which TWO steps should they take? (Choose 2)

Question 59hardmulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization has a requirement that all service account keys must be rotated every 90 days. The security engineer wants to automate the detection of keys older than 90 days. Which TWO methods can achieve this? (Choose 2)

Question 60mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to implement single sign-on (SSO) for its employees to access the Google Cloud Console using their existing corporate credentials from an on-premises Active Directory. Which THREE components are required? (Choose 3)

Question 61mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization has multiple GCP projects managed through folders in the resource hierarchy. They want to enforce a policy that prohibits the creation of service account keys across all projects. Which approach should be used?

Question 62hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to grant a team the ability to impersonate a service account (SA) in project B from a Compute Engine instance in project A. The SA in project B has the required permissions to access Cloud Storage. What IAM configuration is required?

Question 63mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company uses Active Directory (AD) on-premises and wants to synchronize user accounts to Google Cloud Identity for SSO with SAML 2.0. They require automatic user provisioning and de-provisioning. Which Google Cloud tool should they use?

Question 64easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A developer is running a batch job on Compute Engine that needs to read data from Cloud Storage. What is the recommended way to authenticate the VM to Cloud Storage without managing keys?

Question 65mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization wants to allow an external identity provider (IdP) that supports OpenID Connect (OIDC) to access GCP resources. They want to avoid creating and managing service account keys. What should they use?

Question 66hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A Google Kubernetes Engine (GKE) cluster has applications that need to access Cloud Storage. The security team wants to grant fine-grained access per pod. What is the recommended approach?

Question 67mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization uses Cloud Identity to manage users and groups. They want to enforce that only users from their corporate domain (example.com) can be granted IAM roles on GCP resources. Which organization policy constraint should they use?

Question 68easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

What is the purpose of Identity-Aware Proxy (IAP) in Google Cloud?

Question 69hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An engineer needs to grant a group of external auditors read-only access to all resources in a specific project. The auditors authenticate via an external SAML 2.0 IdP. What is the most secure and efficient way to set this up?

Question 70mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to allow an application running on an on-premises server to access Cloud Storage without using long-lived service account keys. The on-premises environment uses Azure Active Directory (Azure AD) as its identity provider. Which GCP feature should they use?

Question 71easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

Which IAM role type is recommended for granting fine-grained permissions to Google Cloud services in production?

Question 72mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization has a folder-level organization policy that enforces 'constraints/compute.requireShieldedVm'. A development team wants to create a test VM that does not use Shielded VM features. What is the correct approach?

Question 73mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company uses Active Directory (AD) on-premises and wants to implement SSO for Google Cloud Console access. They want to maintain user lifecycle management (create/disable accounts) from AD. Which TWO components are required?

Question 74hardmulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security administrator needs to deploy a solution that allows a group of developers to access a web application running on Compute Engine behind an internal HTTP load balancer. The solution must enforce access based on user identity and device security status, and must not expose the application to the public internet. Which THREE components are required?

Question 75mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to enforce that no service account keys are created for service accounts in a specific project. Additionally, they want to allow only users from their corporate domain (example.com) to be granted IAM roles. Which TWO organization policy constraints should they apply at the project level?

Question 76easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization wants to grant a team of data analysts the ability to run BigQuery queries and create datasets, but prevent them from deleting datasets or modifying IAM policies. Which predefined IAM role should be assigned?

Question 77mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company has multiple GCP projects managed under a single organization node. They want to enforce that all Compute Engine VMs are created with Shielded VM features enabled. Which approach should they use?

Question 78hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security team needs to allow a third-party application running on AWS to access a Cloud Storage bucket without using service account keys. The application already uses AWS IAM roles. Which Google Cloud feature should they use?

Question 79mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A developer is troubleshooting a Cloud Run service that needs to read from a Cloud Storage bucket. The service runs as the compute engine default service account. The service account has been granted the Storage Object Viewer role at the project level, but the service still gets permission denied errors. What is the most likely cause?

Question 80easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization wants to allow users to authenticate to Google Cloud using their existing Active Directory credentials via SAML 2.0. Which Google Cloud identity service should they configure?

Question 81mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company has a security policy that service account keys should not be created. They want to prevent anyone from creating keys for any service account in the organization. Which organization policy constraint should they use?

Question 82hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A GKE cluster has Workload Identity enabled. A Kubernetes service account is bound to a GCP service account named 'sa-gcs'. A pod using the Kubernetes service account fails to list objects in a Cloud Storage bucket. The GCP service account has the Storage Object Viewer role. What is the most likely cause?

Question 83easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An administrator needs to grant a network team the ability to create and manage firewall rules, but not delete VPC networks. Which IAM role should be assigned?

Question 84mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to grant a group of external auditors read-only access to all resources in a GCP project. The auditors authenticate via a SAML 2.0 identity provider. What is the most secure way to grant access?

Question 85hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization has a deny policy that denies the compute.instances.create permission for all principals on a folder. A user is granted the Compute Admin role (which includes compute.instances.create) at the project level within that folder. Can the user create Compute Engine instances in that project?

Question 86mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to allow their employees to access an internal web application running on Compute Engine using Identity-Aware Proxy (IAP). They want to ensure that only users from their corporate domain (example.com) can access the app. What is the recommended approach?

Question 87easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A developer wants to grant a service account the ability to impersonate another service account in a different project. Which IAM permission is required for the developer to assign?

Question 88mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to enforce that all Compute Engine instances are created with a specific set of tags for compliance. They also want to audit any changes to firewall rules. Which two Google Cloud services or features should they use? (Choose TWO.)

Question 89hardmulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security administrator needs to grant a team of developers the ability to deploy applications to a GKE cluster, but only to specific namespaces. The developers should not be able to modify cluster-level resources or IAM policies. Which three steps should the administrator take? (Choose THREE.)

Question 90mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to implement a zero-trust access model for SSH access to Compute Engine instances. They need to ensure that only authorized users can connect and that all connections are logged. Which two services should they use? (Choose TWO.)

Question 91mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization wants to grant a DevOps team the ability to create and manage service accounts in a specific project, but prevent them from deleting existing service accounts or managing IAM policies. Which IAM role should be assigned to the team?

Question 92hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to prevent creation of long-lived service account keys across all projects in an organization. The solution should also block any existing keys older than 90 days. Which approach meets these requirements?

Question 93easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A developer needs to deploy a web application on Compute Engine that must access Cloud Storage buckets. The best practice for providing credentials to the VM is to:

Question 94mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company uses Google Workspace and wants to allow users to authenticate to a third-party SaaS application using their Google credentials. The SaaS application supports SAML 2.0. What should the administrator configure?

Question 95hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization has a deny policy at the folder level that denies the permission resourcemanager.projects.create. A user has an allow policy at the project level granting roles/owner. What is the effective permission for the user to create projects in that project?

Question 96easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

Which of the following is a benefit of using organization policies over IAM policies for enforcing restrictions on resources?

Question 97mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to provide their employees access to a web application running on Compute Engine without exposing the VM to the public internet. The application uses a custom header to verify the user's identity. Which service should they use?

Question 98mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An administrator needs to restrict which external identities can be used to access Google Cloud resources. The organization uses SAML federation with an external identity provider. Which organization policy constraint should be used?

Question 99hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization wants to grant a CI/CD pipeline (running on GitHub Actions) access to deploy resources in a GCP project without storing long-lived service account keys. Which approach is recommended?

Question 100easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

In the Google Cloud IAM resource hierarchy, which level supports the most granular policy attachment?

Question 101mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security team wants to enforce that all Compute Engine instances in the organization use Shielded VM features (Secure Boot, vTPM, Integrity Monitoring). What should they configure?

Question 102mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A user in a Google Cloud organization wants to create a custom IAM role at the project level. Which permission is required to create custom roles?

Question 103mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to allow their on-premises Active Directory users to access Google Cloud resources using their existing credentials. They need to synchronize user accounts and groups to Google Cloud Directory and enable federated authentication. Which TWO services should they use?

Question 104hardmulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to ensure that service account keys are not used in production workloads. They want to enforce this across the entire organization. Which TWO controls should they implement?

Question 105mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to deploy a containerized application on GKE that needs to access Cloud SQL. They want to avoid storing database credentials in the application. Which THREE components should they use?

Question 106mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to ensure that a specific Compute Engine instance can only be accessed via HTTPS from users authenticated through Cloud Identity. The instance is behind an HTTP(S) load balancer. What should the engineer configure on the load balancer to enforce this access control?

Question 107easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

Your organization wants to assign a set of permissions to a group of users that allows them to create and delete Compute Engine instances, but not to modify other resources like Cloud Storage buckets. Which type of IAM role should you create?

Question 108hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization has a Google Cloud organization node with multiple folders for different departments. A deny policy is set at the organization level to block the use of shielded VM constraints. Later, an allow policy at the folder level grants the compute.instances.create permission. A user in that folder tries to create a new VM without shielded VM enabled. What will happen?

Question 109mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to allow an application running in an on-premises data center to access Google Cloud Storage buckets without storing long-lived service account keys. The on-premises application authenticates using an external identity provider (IdP) that supports OpenID Connect (OIDC). Which Google Cloud feature should they use?

Question 110easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

You need to grant a security auditor read-only access to all resources in a project, but they must not be able to view data within resources (e.g., table contents). Which predefined IAM role should you grant?

Question 111mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A DevOps engineer needs to allow a CI/CD pipeline running in Google Kubernetes Engine (GKE) to push images to a specific Artifact Registry repository. The pipeline uses a Kubernetes service account. What is the best practice to grant this access without creating a JSON key for a Google service account?

Question 112hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

Your organization uses Cloud Identity with SAML 2.0 federation from an external identity provider (IdP). You need to ensure that only users from a specific group in the IdP can access a critical application behind an HTTPS load balancer. Which combination of steps is required?

Question 113mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company has an organization policy that disables service account key creation (constraints/iam.disableServiceAccountKeyCreation). However, a legacy application requires a service account key to authenticate. What should the engineer do to satisfy this requirement while following best practices?

Question 114easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

Which of the following is the correct order of the Google Cloud resource hierarchy from highest to lowest?

Question 115mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization uses Cloud Directory Sync to synchronize users from on-premises Active Directory to Cloud Identity. After syncing, a user reports they cannot access a Google Cloud project even though they are a member of the correct AD group. The group has been assigned the roles/compute.admin role on the project. What is the most likely cause?

Question 116hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An engineer is configuring Cloud Armor for an HTTP(S) load balancer and needs to allow traffic only from users who have been authenticated by Identity-Aware Proxy (IAP). The backend service already has IAP enabled. What additional configuration is needed to ensure that only authenticated requests reach the backend?

Question 117mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to enforce that all new projects have a specific set of tags to track cost centers. Which Google Cloud feature should they use?

Question 118mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to allow a group of external auditors to view all resources in a project but not modify anything. They must also prevent the auditors from viewing sensitive data in BigQuery datasets. Which TWO IAM bindings should the engineer configure? (Choose two.)

Question 119hardmulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company runs a batch job on Compute Engine that reads data from Cloud Storage and writes results to BigQuery. The Compute Engine instance uses a service account. The job fails with a permission error. Which THREE steps should the engineer take to resolve this? (Choose three.)

Question 120mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization uses Cloud Identity with SAML 2.0 federation. They want to enable single sign-on (SSO) for users accessing Google Cloud Console and also allow access to a custom application behind an HTTPS load balancer using IAP. Which TWO configurations are required? (Choose two.)

Question 121mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

Your organization has an IAM policy at the folder level that grants a user the Compute Admin role. A deny policy at the project level denies the same user the compute.instances.create permission. What is the effective access for this user on the project?

Question 122easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security engineer needs to enforce that all Compute Engine VMs in an organization use Shielded VM features. Which approach should they use?

Question 123hardmultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company uses Google Cloud Directory Sync to synchronize users from an on-premises Active Directory to Cloud Identity. They want to allow federated access from their external identity provider (IdP) that supports SAML 2.0. The IdP should be able to authenticate users from a specific AD domain. What configuration steps are required?

Question 124mediummultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A DevOps team wants to grant a CI/CD pipeline (running on a Compute Engine VM) the ability to restart Compute Engine instances in a specific project. The VM has a service account attached. What is the best practice to grant this permission?

Question 125easymultiple choice
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization wants to use a third-party identity provider (IdP) that supports OpenID Connect (OIDC) to manage access to Google Cloud resources. They want users to authenticate with the external IdP and access GCP via the Cloud Console and gcloud CLI. Which feature should they use?

Question 126mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company is migrating to Google Cloud and wants to implement least privilege access for their engineers. They have the following requirements: 1) Engineers must be able to create and manage Cloud Storage buckets. 2) Engineers must NOT be able to delete any resources. 3) Engineers should not be granted basic roles. Which two predefined roles should they combine to meet these requirements? (Choose two.)

Question 127mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security team wants to restrict service account key creation in their organization to prevent key-based authentication. They have set the organization policy constraint constraints/iam.disableServiceAccountKeyCreation to True. However, they need to allow a specific project to continue creating keys for legacy applications. Which two steps are required? (Choose two.)

Question 128hardmulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to implement workload identity federation for a GitHub Actions workflow, allowing it to access Google Cloud resources without using service account keys. Which three steps are required? (Choose three.)

Question 129mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization wants to use Identity-Aware Proxy (IAP) to secure access to a web application running on Compute Engine. They need to ensure that only users with specific email domains can access the application, and also verify that requests are coming from IAP. Which two configurations are required? (Choose two.)

Question 130easymulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A developer wants to grant a Kubernetes service account in GKE the ability to read objects from a specific Cloud Storage bucket. Which two resources need to be bound together? (Choose two.)

Question 131mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company uses Cloud Identity with SAML 2.0 federation from an external IdP. They want to enforce that users must be members of a specific group in the IdP to access GCP resources. Which two configurations are necessary? (Choose two.)

Question 132hardmulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A security architect is designing an IAM hierarchy for a large organization. The requirements are: 1) Development projects should inherit a policy that allows Compute Engine access. 2) Production projects should not have Compute Engine access. 3) Audit team must be able to read all resources across all projects. Which three IAM policy placements are correct? (Choose three.)

Question 133easymulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company wants to use Google Cloud Directory Sync (GCDS) to synchronize users and groups from an on-premises Active Directory to Cloud Identity. Which two prerequisites must be met? (Choose two.)

Question 134mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

A company needs to grant developers the ability to deploy applications to App Engine, but they should not be able to modify IAM policies. Which two roles should be assigned to the developers? (Choose two.)

Question 135mediummulti select
Read the full Configuring Access Within a Cloud Solution Environment explanation →

An organization wants to restrict the creation of service accounts to only certain projects. Which two approaches can achieve this? (Choose two.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCSE Practice Test 1 — 25 Questions→PCSE Practice Test 2 — 25 Questions→PCSE Practice Test 3 — 25 Questions→PCSE Practice Test 4 — 25 Questions→PCSE Practice Test 5 — 25 Questions→PCSE Practice Exam 1 — 20 Questions→PCSE Practice Exam 2 — 20 Questions→PCSE Practice Exam 3 — 20 Questions→PCSE Practice Exam 4 — 20 Questions→Free PCSE Practice Test 1 — 30 Questions→Free PCSE Practice Test 2 — 30 Questions→Free PCSE Practice Test 3 — 30 Questions→PCSE Practice Questions 1 — 50 Questions→PCSE Practice Questions 2 — 50 Questions→PCSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuring Access Within a Cloud Solution EnvironmentEnsuring Data ProtectionManaging Operations in a Cloud Solution EnvironmentConfiguring Network SecuritySupporting Compliance Requirements

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Configuring Access Within a Cloud Solution Environment setsAll Configuring Access Within a Cloud Solution Environment questionsPCSE Practice Hub