Back to Google Professional Cloud Security Engineer

Google Cloud exam questions

Google Professional Cloud Security Engineer PCSE practice test

Practise IP addressing questions covering IPv4/IPv6 configuration, subnetting, default gateways, and APIPA troubleshooting for the PCSE exam.

500
practice questions
5
topics covered
PCSE
exam code
Google Cloud
vendor

Study modes

Three ways to study

Start with the Study Sheet to learn the material, switch to Practice Tests for active recall, then take a Mock Exam to simulate the real thing.

Study Sheet

All 500 questions with correct answers and explanations already visible. Read at your own pace — no time pressure.

Start reading →

Practice Test

Answer first, then see feedback and explanation. Tracks your score per session. Best for active recall and identifying weak areas.

Mock Exam

Full timed simulation with countdown. Answers hidden until the end. Includes all question types just like the real exam.

Start mock exam →

Study Sheet

All 500 PCSE questions with answers

Every question in the bank, paginated 75 per page. Correct answers and full explanations are revealed upfront — ideal for first-pass learning and pre-exam review.

7 pages · 75 questions per page · 500 total

Related practice questions

Study PCSE by topic

Topic pages go deep on individual concepts — each one covers a specific exam topic with questions, explanations, and study notes.

Courseiva uses original exam-style practice questions created for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps. Learn the difference →

Sample questions

Google Professional Cloud Security Engineer practice questions

Start practice test

Match each IAM role to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full management of Compute Engine resources

Read-only access to Cloud Storage objects

Manage service accounts and keys

Manage Cloud KMS keys and key rings

Manage organization policies

Match each encryption scope to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data protected while traveling over networks

Data protected when stored on disk

Customer-supplied encryption keys for Google Cloud resources

Customer-managed encryption keys via Cloud KMS

Google-managed encryption keys for all data at rest

Match each CVE or security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Log4j remote code execution vulnerability

Heartbleed OpenSSL vulnerability

Apache Struts2 remote code execution

Windows CryptoAPI spoofing vulnerability

BlueKeep RDP remote code execution

Match each Google Cloud logging/monitoring term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Routes logs to a destination (e.g., BigQuery, Pub/Sub)

Storage location for log entries

Counts log entries matching a filter

Records of admin and data access activities

Copies logs to a Cloud Storage or BigQuery

Drag and drop the steps to rotate a customer-managed encryption key (CMEK) in Cloud KMS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 6mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to configure a Cloud NAT for private VM instances in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to set up Cloud Armor with a WAF rule in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to configure a VPC Service Controls perimeter in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to set up a Private Google Access for on-premises hosts using Private Service Connect in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to set up a binary authorization policy for a GKE cluster in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

A company is designing a CI/CD pipeline using Cloud Build. Security requirements mandate that the pipeline deploy only to projects that have been explicitly authorized. The security team wants to use a service account that can be assumed by Cloud Build to perform deployments, and they want to restrict which projects can be deployed to using organization policies. Which approach should they take?

A company must implement data residency requirements that prohibit storing data outside the European Union. They are using Cloud Bigtable and need to ensure that backups are also stored within the EU. Which configuration should they choose?

Question 13mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to allow employees to access a web application running on Google Kubernetes Engine (GKE) using their corporate Active Directory credentials. The application is exposed via an HTTPS load balancer. The Security Engineer needs to integrate identity federation and ensure that only authenticated users can reach the application. Which combination of services should be used?

A security engineer is investigating an incident where an attacker gained access to a Compute Engine instance's serial console logs, which contained sensitive data. Which TWO actions should the engineer take to prevent this type of exposure in the future? (Choose TWO.)

Question 15hardmultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier application on Google Cloud. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. The security team wants to use VPC firewall rules and Cloud NAT for outbound internet access from private instances. Which architecture meets these requirements with the least operational overhead?

A security engineer is configuring Cloud Armor to protect a global external HTTP(S) Load Balancer. Which TWO of the following are valid Cloud Armor security policies? (Choose two.)

Which TWO actions should a security engineer take to protect sensitive data in Cloud Storage buckets from accidental public exposure? (Choose two.)

A company must ensure that all Compute Engine instances use only approved images from a specific project. They want to enforce this using Organization Policy. Which constraint should they use?

A company is implementing a data retention policy for Cloud Storage buckets. They need to ensure that objects cannot be deleted before a specified retention period. Which THREE features can they use? (Choose THREE.)

A financial services company is migrating its on-premises application to Google Cloud. The application needs to access a Cloud SQL instance and a Cloud Storage bucket. Security requirements mandate that the application must use short-lived credentials and avoid storing long-lived service account keys. The application runs on Compute Engine. What should the Security Engineer do to meet these requirements?

A global e-commerce company must comply with GDPR and CCPA. They use BigQuery to store customer data and need to ensure that when a user requests data deletion, all copies are deleted within 30 days. Additionally, they want to minimize storage costs. Which TWO actions should they take?

An organization uses Cloud Audit Logs to monitor admin activity. The security team wants to be alerted when a user creates a new IAM role at the organization level. Which type of audit log should they analyze?

A company is migrating its on-premises Microsoft Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They need to ensure that users can authenticate to Compute Engine Windows instances using their on-premises credentials without additional user setup. What is the most secure and scalable approach?

A security engineer needs to ensure that a Compute Engine VM can securely access Cloud Storage buckets without exposing a public IP address. The VM is in a VPC with Private Google Access enabled. What is the recommended approach?

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

Exam question guide

How to use these PCSE questions

Use these questions as active recall, not passive reading. Try the question first, review the answer choices, then open the explanation and connect the result back to the exam topic.

Quick answer

Tests understanding of IPv4/IPv6 addressing, subnetting, default gateways, and APIPA configurations for network connectivity.

Identifying IPv4 address classes and private ranges

Configuring IPv6 addresses and link-local vs global unicast

Calculating subnet masks and network IDs

Troubleshooting APIPA addresses (169.254.x.x)

These PCSE practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style PCSE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.