Free · No account needed · No credit card

Google Professional Cloud Security Engineer Practice Test

500 questions with instant explanations, domain breakdown, and wrong-answer analysis. Built for the real exam.

Instant feedback after each answer
Full explanations included
Domain score breakdown
Real exam: 120 min
Pass mark: 720%

Sample questions with explanations

This is exactly what you see during practice — question, options, and a full explanation after you answer.

Q1Supporting compliance requirementseasy
Full explanation →

A company needs to retain audit logs for 7 years to meet regulatory compliance. They are using Cloud Logging. Which log storage strategy should they use to minimize costs while meeting the requirement?

AStore logs in the _Required log bucket with a custom retention of 7 years.
BDisable logging for non-critical resources to reduce log volume and retain only essential logs.
Use a log sink to export logs to Cloud Storage with a retention policy of 7 years and nearline storage class.Correct
DUse a log sink to export logs to BigQuery and set the table expiration to 7 years.

Option C is correct because exporting logs to Cloud Storage via a log sink allows you to set a bucket retention policy of 7 years, meeting compliance requirements. Using the nearline storage class minimizes costs for logs that are accessed infrequently, as it offers lower storage…Read full explanation

Q2Supporting compliance requirementsmedium
Full explanation →

A healthcare organization must ensure that only authorized personnel can access Protected Health Information (PHI) stored in Cloud Storage. They need to enforce encryption at rest and control access based on data classification. Which combination of Google Cloud services should they use?

AUse customer-supplied encryption keys (CSEK) and Cloud Audit Logs.
BUse Cloud HSM for key management and Cloud DLP to inspect data.
CEnable Access Transparency and use Organization Policies to restrict resource locations.
Use customer-managed encryption keys (CMEK) with Cloud KMS and VPC Service Controls.Correct

Option D is correct because it combines customer-managed encryption keys (CMEK) with Cloud KMS to enforce encryption at rest using keys controlled by the organization, and VPC Service Controls to restrict data access based on data classification by creating a security perimeter a…Read full explanation

Q3Supporting compliance requirementshard
Full explanation →

A financial services company is deploying a multi-region application on Google Kubernetes Engine (GKE) and needs to comply with PCI DSS. They must ensure that cardholder data is encrypted in transit between pods in different clusters. What is the MOST secure way to achieve this?

AConfigure TLS for each service using a Cloud Load Balancing with SSL policies.
Enable Anthos Service Mesh with mutual TLS (mTLS) across clusters.Correct
CUse HTTPS between services by configuring ingress with a Google-managed SSL certificate.
DUse VPC Network Peering to connect the clusters and rely on the internal network encryption.

Option B is correct because Anthos Service Mesh with mutual TLS (mTLS) provides authenticated and encrypted communication between pods across different GKE clusters, meeting PCI DSS encryption-in-transit requirements. mTLS ensures that each side of the connection presents a certi…Read full explanation

Untimed Practice

Answer at your own pace. Explanation and domain tag shown immediately after each answer.

Timed Practice

Countdown timer starts immediately. Results and domain scores shown at the end — just like the real exam.

Why practice here?

Full explanations on every question

Not just the right answer — you get exactly why each wrong option is wrong, so you learn the concept, not the answer.

Domain score breakdown

After each session see your score by exam domain so you know exactly where to focus study time.

100% free, forever

No subscription, no trial, no email wall. Start a session in under 10 seconds.

Exam-style questions

Scenario-based, precise wording, realistic distractors — written to match what you actually see on exam day.

← All PCSE questionsPCSE exam guideStudy guidePractice by domain