Back to Google Professional Cloud Security Engineer questions

Scenario-based practice

Hard Difficulty Questions

Practise Google Professional Cloud Security Engineer practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
PCSE
exam code
Google Cloud
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PCSE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier application on Google Cloud. The web tier must be accessible from the internet, while the application and database tiers must only be accessible from the web tier. The security team wants to use VPC firewall rules and Cloud NAT for outbound internet access from private instances. Which architecture meets these requirements with the least operational overhead?

Question 2hardmulti select
Full question →

A company is implementing a data retention policy for Cloud Storage buckets. They need to ensure that objects cannot be deleted before a specified retention period. Which THREE features can they use? (Choose THREE.)

Question 3hardmultiple choice
Full question →

A financial services company is migrating its on-premises application to Google Cloud. The application needs to access a Cloud SQL instance and a Cloud Storage bucket. Security requirements mandate that the application must use short-lived credentials and avoid storing long-lived service account keys. The application runs on Compute Engine. What should the Security Engineer do to meet these requirements?

Question 4hardmulti select
Full question →

A global e-commerce company must comply with GDPR and CCPA. They use BigQuery to store customer data and need to ensure that when a user requests data deletion, all copies are deleted within 30 days. Additionally, they want to minimize storage costs. Which TWO actions should they take?

Question 5hardmultiple choice
Full question →

Refer to the exhibit. A Security Engineer runs the command to grant Alice access to view objects in a Cloud Storage bucket. Later, Alice reports she can no longer access the bucket after January 1, 2024. What is the most likely reason?

Network Topology
gcloud projects add-iam-policy-binding my-projectmember='user:alice@example.com'role='roles/storage.objectViewer'condition='expression=request.time < timestamp
Question 6hardmultiple choice
Read the full NAT/PAT explanation →

You are designing network security for a multi-region GKE cluster with Pods that need to communicate across regions over a private network. The cluster uses VPC-native mode. Which Google Cloud networking feature should you use to ensure low-latency and secure inter-region Pod-to-Pod communication without traversing the public internet?

Your company has a VPC with multiple subnets. You have deployed a set of Compute Engine instances that must communicate with each other over TCP port 4444. The instances are tagged with 'app-tier'. You need to ensure that only these instances can communicate on this port. Which THREE of the following steps are necessary to achieve this?

Question 8hardmultiple choice
Full question →

Refer to the exhibit. A security engineer runs the command to view recent decrypt operations on a Cloud KMS key. The output shows a successful decryption. However, the engineer is concerned about the exposure of the plaintext. Based on the log entry, what is the most accurate statement regarding the visibility of the decrypted plaintext?

Exhibit

Refer to the exhibit.

```
$ gcloud logging read "logName=projects/my-project/logs/cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName=google.cloud.kms.v1.Decrypt" --limit 5

---
insertId: 1a2b3c4d5e
logName: projects/my-project/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
  @type: type.googleapis.com/google.cloud.audit.AuditLog
  authenticationInfo:
    principalEmail: user@example.com
  methodName: google.cloud.kms.v1.Decrypt
  resourceName: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1
  response:
    plaintext: "REDACTED"
  serviceName: cloudkms.googleapis.com
  status: {}
resource:
  labels:
    key_id: my-key
    location: global
    key_ring: my-keyring
  type: cloudkms_crypto_key
severity: NOTICE
```
Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is migrating sensitive patient data to Google Cloud and must comply with HIPAA. They plan to use Cloud SQL for MySQL with CMEK for encryption at rest. The security team is concerned about key management and access logging. Which additional measure should be implemented to meet HIPAA audit requirements?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company runs a sensitive application on Google Kubernetes Engine (GKE) with Workload Identity enabled. Security policy requires that only pods with a specific service account can access a Cloud Storage bucket containing customer data. The bucket has uniform bucket-level access enabled. What is the correct combination of IAM bindings to achieve this?

Question 11hardmultiple choice
Full question →

A security engineer reviews the IAM policy for a Cloud Storage bucket as shown in the exhibit. Alice reports that she cannot upload objects to the bucket, while Bob can view objects. What is the most likely issue?

Exhibit

Refer to the exhibit.

```
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "user:bob@example.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "user:alice@example.com"
      ]
    }
  ]
}
```
Question 12hardmultiple choice
Full question →

A healthcare organization stores PHI in BigQuery tables with row-level access policies. They need to ensure that data is automatically de-identified when exported to Cloud Storage for analytics. What is the most scalable solution with minimal manual intervention?

Question 13hardmultiple choice
Read the full VPN explanation →

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project uses Cloud Storage and BigQuery. The engineer wants to ensure that data cannot be exfiltrated to external IP addresses outside the perimeter, but internal users should still be able to access the data from on-premises via a VPN. Which configuration should be applied?

Question 14hardmultiple choice
Full question →

A security engineer is designing a VPC Service Controls perimeter to protect a project containing sensitive data stored in Cloud Storage and BigQuery. The perimeter currently allows access from an on-premises data center via private connectivity (Cloud Interconnect). The business requires that a third-party SaaS application (outside the perimeter) be able to write data into a specific Cloud Storage bucket. Which action should the engineer take?

Question 15hardmulti select
Full question →

A security engineer is designing a solution to monitor and detect anomalous IAM role usage across multiple Google Cloud projects. The engineer wants to create a centralized logging solution that captures all IAM policy changes and access attempts. Which THREE services should the engineer use together to achieve this?

Question 16hardmultiple choice
Full question →

A security engineer is troubleshooting a connectivity issue between two VPCs connected via VPC Network Peering. VPC-A (project A) has a Compute Engine instance with internal IP 10.1.0.2. VPC-B (project B) has an instance with internal IP 10.2.0.2. The engineer has verified that the peering connection is active and the firewall rules allow ingress from 10.1.0.0/16. However, the instance in VPC-B cannot ping the instance in VPC-A. What is the most likely cause?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Cloud SQL for PostgreSQL with IAM database authentication. A security engineer needs to grant a user named 'analyst@example.com' the ability to run SELECT queries on the 'orders' table. The user is a member of the group 'analysts@example.com'. What is the correct combination of IAM and database permissions?

Question 18hardmulti select
Full question →

A security team is designing access controls for a multi-tenant SaaS application on Google Kubernetes Engine (GKE). Each tenant has a separate namespace. They want to ensure that a DevOps team can manage deployments across all namespaces, but cannot modify secrets in the 'tenant-alpha' namespace. Which THREE Kubernetes RBAC resources should be created? (Choose THREE)

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?

Question 20hardmultiple choice
Full question →

A company has a Cloud Storage bucket containing sensitive data. They want to ensure that only users with specific IAM roles can access the bucket, and that access is logged for audit purposes. They also want to prevent public access. Which configuration steps should they take?

These PCSE practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style PCSE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.