- A
The instance bypassed SSL enforcement because the database was configured to accept non-encrypted connections. You should enable the 'require SSL' flag.
Why wrong: SSL enforcement was already enabled; the connection was likely encrypted but still allowed due to VPC access.
- B
The instance used the Cloud SQL Proxy, which bypasses network controls. You should remove the proxy and require direct connections over private IP.
Why wrong: Cloud SQL Proxy is a secure method for connecting; it does not bypass controls.
- C
VPC Service Controls were not configured to block the connection. You should create a service perimeter to prevent data exfiltration.
Why wrong: VPC Service Controls do not block connections within the same VPC; they control data movement across perimeters.
- D
The instance was in the same VPC and used the default Compute Engine service account with cloudsql.client role. You should disable the default service account and use a custom service account with the least privilege.
Private IP connections are allowed from any resource in the same VPC; the default service account had permission. Restricting the service account prevents unauthorized access.
Quick Answer
The answer is that the instance used the default Compute Engine service account with the cloudsql.client role, bypassing authorized networks because it resided in the same VPC. This security gap occurs because Cloud SQL private IP connections within a VPC are not governed by authorized networks—any resource in the same VPC with the correct IAM permissions can connect directly or via the Cloud SQL Proxy, regardless of public IP or network whitelisting. On the Google Professional Cloud Security Engineer exam, this scenario tests your understanding of how VPC peering and IAM roles interact with Cloud SQL’s network isolation, a common trap where candidates mistakenly focus on authorized networks instead of service account permissions. The PCI DSS requirement to secure cardholder data demands that you disable the default service account and assign a custom one with least privilege, ensuring only specific identities can access the database. Memory tip: “Same VPC, same risk—default accounts are a security disc.”
PCSE Supporting compliance requirements Practice Question
This PCSE practice question tests your understanding of supporting compliance requirements. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Your company, a global e-commerce platform, must comply with the PCI DSS requirement to secure cardholder data. You have a multi-cloud environment with workloads on Google Cloud and AWS. The Google Cloud environment consists of Compute Engine instances that process credit card transactions, and a Cloud SQL for MySQL database that stores encrypted cardholder data. The security team requires that only specific service accounts can connect to the database, and all connections must be encrypted. Additionally, you need to ensure that the database is not publicly accessible and that all access is logged. You have configured the Cloud SQL instance with a private IP and enabled SSL/TLS. However, a recent audit revealed that a Compute Engine instance with a public IP and no service account was able to connect to the database and execute queries. The instance was not authorized in the Cloud SQL authorized networks. What is the most likely cause of this security gap, and what should you do to prevent it?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"most likely"Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
The instance was in the same VPC and used the default Compute Engine service account with cloudsql.client role. You should disable the default service account and use a custom service account with the least privilege.
Option D is correct because the Compute Engine instance was in the same VPC as the Cloud SQL instance (private IP), and it used the default Compute Engine service account, which had the cloudsql.client role. This allowed the instance to connect via the Cloud SQL Proxy or directly using the private IP without being listed in authorized networks, as VPC internal connectivity bypasses authorized networks. The fix is to disable the default service account and assign a custom service account with only the necessary permissions, ensuring least privilege and preventing unauthorized access.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
The instance bypassed SSL enforcement because the database was configured to accept non-encrypted connections. You should enable the 'require SSL' flag.
Why it's wrong here
SSL enforcement was already enabled; the connection was likely encrypted but still allowed due to VPC access.
- ✗
The instance used the Cloud SQL Proxy, which bypasses network controls. You should remove the proxy and require direct connections over private IP.
Why it's wrong here
Cloud SQL Proxy is a secure method for connecting; it does not bypass controls.
- ✗
VPC Service Controls were not configured to block the connection. You should create a service perimeter to prevent data exfiltration.
Why it's wrong here
VPC Service Controls do not block connections within the same VPC; they control data movement across perimeters.
- ✓
The instance was in the same VPC and used the default Compute Engine service account with cloudsql.client role. You should disable the default service account and use a custom service account with the least privilege.
Why this is correct
Private IP connections are allowed from any resource in the same VPC; the default service account had permission. Restricting the service account prevents unauthorized access.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Google Cloud often tests the misconception that authorized networks or SSL/TLS are the primary controls for Cloud SQL access, when in fact IAM roles on service accounts within the same VPC can override those controls.
Detailed technical explanation
How to think about this question
Cloud SQL uses IAM-based authentication for service accounts when the Cloud SQL Proxy or the Cloud SQL Auth Proxy library is used; however, direct connections over private IP can also be authorized via IAM roles if the instance has the cloudsql.client role. The default Compute Engine service account (project-number-compute@developer.gserviceaccount.com) is often granted excessive permissions by default, including the cloudsql.client role, which allows any instance using it to connect to any Cloud SQL instance in the project. Disabling this default service account and creating a custom one with only the required roles (e.g., cloudsql.client for specific instances) is a key security best practice.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Supporting compliance requirements — study guide chapter
Learn the concepts, then practise the questions
- →
Supporting compliance requirements practice questions
Targeted practice on this topic area only
- →
All PCSE questions
500 questions across all exam domains
- →
Google Professional Cloud Security Engineer study guide
Full concept coverage aligned to exam objectives
- →
PCSE practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related PCSE practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Configuring network security practice questions
Practise PCSE questions linked to Configuring network security.
Configuring access within a cloud solution environment practice questions
Practise PCSE questions linked to Configuring access within a cloud solution environment.
Ensuring data protection practice questions
Practise PCSE questions linked to Ensuring data protection.
Managing operations in a cloud solution environment practice questions
Practise PCSE questions linked to Managing operations in a cloud solution environment.
Supporting compliance requirements practice questions
Practise PCSE questions linked to Supporting compliance requirements.
PCSE fundamentals practice questions
Practise PCSE questions linked to PCSE fundamentals.
PCSE scenario practice questions
Practise PCSE questions linked to PCSE scenario.
PCSE troubleshooting practice questions
Practise PCSE questions linked to PCSE troubleshooting.
Practice this exam
Start a free PCSE practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this PCSE question test?
Supporting compliance requirements — This question tests Supporting compliance requirements — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The instance was in the same VPC and used the default Compute Engine service account with cloudsql.client role. You should disable the default service account and use a custom service account with the least privilege. — Option D is correct because the Compute Engine instance was in the same VPC as the Cloud SQL instance (private IP), and it used the default Compute Engine service account, which had the cloudsql.client role. This allowed the instance to connect via the Cloud SQL Proxy or directly using the private IP without being listed in authorized networks, as VPC internal connectivity bypasses authorized networks. The fix is to disable the default service account and assign a custom service account with only the necessary permissions, ensuring least privilege and preventing unauthorized access.
What should I do if I get this PCSE question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 30, 2026
This PCSE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCSE exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.