Back to Google Professional Cloud Security Engineer questions

Scenario-based practice

Drag and Drop Matching Questions

Practise Google Professional Cloud Security Engineer practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

10
scenario questions
PCSE
exam code
Google Cloud
vendor

Scenario guide

How to approach drag and drop matching questions

Matching questions give you two columns — concepts, commands, or protocols on the left, and their definitions or use-cases on the right. You drag each left item to its correct match. These appear on most certification exams and punish superficial memorisation.

Quick answer

Drag and Drop Matching Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PCSE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummatching
Full question →

Match each IAM role to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full management of Compute Engine resources

Read-only access to Cloud Storage objects

Manage service accounts and keys

Manage Cloud KMS keys and key rings

Manage organization policies

Question 2mediummatching
Full question →

Match each encryption scope to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data protected while traveling over networks

Data protected when stored on disk

Customer-supplied encryption keys for Google Cloud resources

Customer-managed encryption keys via Cloud KMS

Google-managed encryption keys for all data at rest

Question 3mediummatching
Full question →

Match each CVE or security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Log4j remote code execution vulnerability

Heartbleed OpenSSL vulnerability

Apache Struts2 remote code execution

Windows CryptoAPI spoofing vulnerability

BlueKeep RDP remote code execution

Question 4mediummatching
Full question →

Match each Google Cloud logging/monitoring term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Routes logs to a destination (e.g., BigQuery, Pub/Sub)

Storage location for log entries

Counts log entries matching a filter

Records of admin and data access activities

Copies logs to a Cloud Storage or BigQuery

Question 5mediummatching
Full question →

Match each Google Cloud security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

DDoS protection and WAF

Centralized security and risk management

Intrusion detection for network traffic

Logs of Google staff access to customer data

Data exfiltration prevention via service perimeters

Question 6mediummatching
Full question →

Match each VPC firewall rule component to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Ingress or egress traffic direction

CIDR blocks for incoming traffic

VM instance tags that rule applies to

Rule evaluation order (lower number = higher priority)

Allow or deny traffic

Question 7mediummatching
Full question →

Match each access control mechanism to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identity and Access Management for resource-level permissions

Constraints applied at the organization node

Service perimeters to prevent data exfiltration

Network-level allow/deny rules for VMs

Identity-Aware Proxy for application-level access

Question 8mediummatching
Full question →

Match each Cloud KMS key purpose to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encrypt and decrypt

Public key encrypt, private key decrypt

Private key signs, public key verifies

Periodically generate new key material

Bring your own key (BYOK) into Cloud KMS

Question 9mediummatching
Full question →

Match each security command center tier to its capabilities.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Free, includes basic vulnerability scanning and findings

Paid, includes threat detection, event threat detection, and container threat detection

Paid, includes all Premium features plus security posture, asset inventory, and compliance

Built-in vulnerability scanning and misconfiguration detection

Detects threats from Cloud Logging and DNS logs

Question 10mediummatching
Full question →

Match each compliance framework to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Payment card data security

Protected health information privacy and security

Service organization controls for security, availability, etc.

Cloud security for U.S. federal agencies

Information security management system standard

These PCSE practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style PCSE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.