Back to Google Professional Cloud Security Engineer questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Google Professional Cloud Security Engineer practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PCSE
exam code
Google Cloud
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related PCSE topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Refer to the exhibit. A Security Engineer runs the command to grant Alice access to view objects in a Cloud Storage bucket. Later, Alice reports she can no longer access the bucket after January 1, 2024. What is the most likely reason?

Network Topology
gcloud projects add-iam-policy-binding my-projectmember='user:alice@example.com'role='roles/storage.objectViewer'condition='expression=request.time < timestamp
Question 2mediummultiple choice
Full question →

A security engineer is using Cloud Asset Inventory to find all Compute Engine instances that are not labeled with a 'compliance' label. Based on the exhibit, which instance(s) are missing the compliance label?

Network Topology
$ gcloud asset search-all-resourcesscope=organizations/123456789012asset-types='compute.googleapis.com/Instance'Refer to the exhibit.Output from gcloud command:```name: //compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/instance-1assetType: compute.googleapis.com/Instanceproject: projects/123456789012ancestors: ["organizations/123456789012", "folders/456", "projects/123456789012"]labels:env: productioncompliance: hipaaname: //compute.googleapis.com/projects/other-project/zones/us-central1-a/instances/instance-2project: projects/987654321098ancestors: ["organizations/123456789012", "folders/789", "projects/987654321098"]env: dev
Question 3hardmultiple choice
Full question →

Refer to the exhibit. A security engineer runs the command to view recent decrypt operations on a Cloud KMS key. The output shows a successful decryption. However, the engineer is concerned about the exposure of the plaintext. Based on the log entry, what is the most accurate statement regarding the visibility of the decrypted plaintext?

Exhibit

Refer to the exhibit.

```
$ gcloud logging read "logName=projects/my-project/logs/cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName=google.cloud.kms.v1.Decrypt" --limit 5

---
insertId: 1a2b3c4d5e
logName: projects/my-project/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
  @type: type.googleapis.com/google.cloud.audit.AuditLog
  authenticationInfo:
    principalEmail: user@example.com
  methodName: google.cloud.kms.v1.Decrypt
  resourceName: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1
  response:
    plaintext: "REDACTED"
  serviceName: cloudkms.googleapis.com
  status: {}
resource:
  labels:
    key_id: my-key
    location: global
    key_ring: my-keyring
  type: cloudkms_crypto_key
severity: NOTICE
```
Question 4mediummultiple choice
Full question →

A security engineer runs the command in the exhibit. The command fails with an error: 'Permission denied: cryptoKeyVersions.encrypt'. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
gcloud kms encrypt \
  --location=global \
  --keyring=my-keyring \
  --key=my-key \
  --plaintext-file=secret.txt \
  --ciphertext-file=secret.enc
```
Question 5hardmultiple choice
Full question →

A security engineer reviews the IAM policy for a Cloud Storage bucket as shown in the exhibit. Alice reports that she cannot upload objects to the bucket, while Bob can view objects. What is the most likely issue?

Exhibit

Refer to the exhibit.

```
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "user:bob@example.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "user:alice@example.com"
      ]
    }
  ]
}
```
Question 6mediummultiple choice
Full question →

Refer to the exhibit. A security engineer runs this command to check bucket permissions. What is the most significant security issue?

Exhibit

Resource: bucket 'my-data-bucket'
  IAM policy:
  - role: roles/storage.objectViewer
    members:
    - user:alice@example.com
    - domain:example.com
  - role: roles/storage.legacyBucketReader
    members:
    - allUsers
  Uniform bucket-level access: disabled
  ACLs:
  - entity: allUsers
    role: READER
Question 7mediummultiple choice
Full question →

Refer to the exhibit. A Security Engineer is reviewing the IAM policy for a project. An administrator reports that a user named admin@example.com cannot create firewall rules, even though the command should allow it. According to the policy, what is the most likely reason?

Exhibit

{
  "bindings": [
    {
      "role": "roles/compute.instanceAdmin.v1",
      "members": [
        "user:admin@example.com"
      ]
    },
    {
      "role": "roles/compute.networkAdmin",
      "members": [
        "user:admin@example.com"
      ]
    },
    {
      "role": "roles/compute.securityAdmin",
      "members": [
        "group:security-team@example.com"
      ]
    }
  ],
  "etag": "BwX9X9X9X9X="
}
Question 8mediummultiple choice
Full question →

Refer to the exhibit. A security engineer runs the commands shown. The command 'gcloud compute instances list' fails with a permission denied error. The service account key belongs to a service account with the role 'roles/compute.viewer' on the project. What is the most likely cause?

Network Topology
gcloud auth activate-service-accountkey-file=key.jsongcloud config set project my-projectgcloud compute instances list
Question 9mediummultiple choice
Full question →

Refer to the exhibit. A security engineer reviews the IAM policy for a service account. What is the effect of the condition?

Exhibit

{
  "bindings": [
    {
      "role": "roles/iam.serviceAccountUser",
      "members": ["user:alice@example.com"],
      "condition": {
        "expression": "request.time < timestamp('2025-12-31T23:59:59Z')",
        "title": "expire_access"
      }
    }
  ]
}
Question 10hardmultiple choice
Full question →

Refer to the exhibit. An organization has the above IAM policy on a project. The user user@example.com is trying to view a list of objects in a bucket from IP address 10.1.1.1. What will be the result?

Exhibit

{
  "bindings": [
    {
      "role": "roles/storage.admin",
      "members": ["user:admin@example.com"]
    },
    {
      "role": "roles/storage.objectViewer",
      "members": ["user:user@example.com"],
      "condition": {
        "title": "ip_restriction",
        "expression": "source.ip in ['10.0.0.0/8']"
      }
    }
  ]
}
Question 11hardmultiple choice
Full question →

An organization is configuring a Cloud Storage bucket for a regulated workload. The bucket configuration shown in the exhibit was applied. Which compliance requirement is this configuration primarily designed to address?

Exhibit

Refer to the exhibit.

```json
{
  "kind": "storage#bucket",
  "name": "compliance-bucket",
  "retentionPolicy": {
    "retentionPeriod": "31536000",
    "effectiveTime": "2024-01-01T00:00:00Z",
    "isLocked": true
  },
  "iamConfiguration": {
    "uniformBucketLevelAccess": {
      "enabled": true
    }
  }
}
```
Question 12hardmultiple choice
Full question →

Refer to the exhibit. An operations engineer configured this alert policy to notify when any VM instance in project my-project has high CPU utilization. However, no notifications are received even when CPU is consistently above 90% on multiple instances in us-central1-a. What is the most likely cause?

Exhibit

Refer to the exhibit.

```yaml
# monitoring alert policy
combiner: OR
conditions:
- conditionThreshold:
    filter: resource.type="gce_instance" AND metric.type="compute.googleapis.com/instance/cpu/utilization"
    aggregations:
    - alignmentPeriod: 60s
      perSeriesAligner: ALIGN_RATE
    duration: 300s
    comparison: COMPARISON_GT
    thresholdValue: 0.8
    trigger:
      count: 1
  displayName: CPU > 80%
- conditionMonitoringQueryLanguage:
    query: |
      fetch gce_instance
      | metric 'compute.googleapis.com/instance/cpu/utilization'
      | filter resource.zone == 'us-central1-a'
      | group_by [resource.instance_id], 60s, [value_utilization_mean: mean(value.utilization)]
      | every 60s
      | condition value_utilization_mean > 0.9
    duration: 0s
    trigger:
      count: 1
  displayName: High average CPU per instance
documentation:
  content: |
    Alert when CPU is high.
  mime_type: text/markdown
```
Question 13mediummultiple choice
Full question →

Refer to the exhibit. A compliance auditor reviews the key configuration and finds a potential issue. What is the most likely compliance impact?

Exhibit

Refer to the exhibit.

```json
{
  "name": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key",
  "primary": {
    "state": "ENABLED",
    "createTime": "2024-01-01T00:00:00Z"
  },
  "purpose": "ENCRYPT_DECRYPT",
  "rotationPeriod": null,
  ...
}
```
Question 14easymultiple choice
Full question →

Refer to the exhibit. A security engineer sees this configuration for a Cloud Storage bucket. What does this indicate about the encryption of objects in this bucket?

Exhibit

$ gcloud storage buckets describe gs://my-bucket --format="json" | jq .encryption
{
  "defaultKmsKeyName": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key"
}
Question 15hardmultiple choice
Full question →

Refer to the exhibit. A security administrator is troubleshooting why a user cannot access a BigQuery dataset. The user analyst@example.com is not a member of data-team@example.com. The user is trying to query a table in the dataset. What is the most likely reason for the denial?

Exhibit

{
  "bindings": [
    {
      "role": "roles/bigquery.dataViewer",
      "members": [
        "user:analyst@example.com"
      ]
    },
    {
      "role": "roles/bigquery.dataOwner",
      "members": [
        "group:data-team@example.com"
      ]
    }
  ],
  "etag": "ABC"
}

These PCSE practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style PCSE questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.