PCSE · topic practice

Configuring access within a cloud solution environment practice questions

Practise Google Professional Cloud Security Engineer Configuring access within a cloud solution environment practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Configuring access within a cloud solution environment

What the exam tests

What to know about Configuring access within a cloud solution environment

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Configuring access within a cloud solution environment exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Configuring access within a cloud solution environment questions

20 questions · select your answer, then reveal the explanation

A company is designing a CI/CD pipeline using Cloud Build. Security requirements mandate that the pipeline deploy only to projects that have been explicitly authorized. The security team wants to use a service account that can be assumed by Cloud Build to perform deployments, and they want to restrict which projects can be deployed to using organization policies. Which approach should they take?

A company uses Cloud Identity-Aware Proxy (IAP) to secure access to an internal web application hosted on Compute Engine. After a recent security audit, the team wants to ensure that only users with specific attributes can access the app, such as belonging to the 'engineering' group and having a verified corporate email. What is the best approach to enforce this requirement?

A financial services company is migrating its on-premises application to Google Cloud. The application needs to access a Cloud SQL instance and a Cloud Storage bucket. Security requirements mandate that the application must use short-lived credentials and avoid storing long-lived service account keys. The application runs on Compute Engine. What should the Security Engineer do to meet these requirements?

A DevOps team wants to grant a contractor temporary access to a specific Cloud Storage bucket for 30 days. The contractor has a Google account (example@gmail.com). The bucket contains sensitive data, and the access should be as restrictive as possible. What is the recommended way to grant this access?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

An organization uses Cloud Run to deploy microservices. Each microservice needs to authenticate to Cloud Pub/Sub topics. The Security Engineer wants to enforce that each service only uses its own service account and cannot impersonate others. The team also wants to rotate credentials automatically. What is the best practice to achieve this?

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to allow employees to access a web application running on Google Kubernetes Engine (GKE) using their corporate Active Directory credentials. The application is exposed via an HTTPS load balancer. The Security Engineer needs to integrate identity federation and ensure that only authenticated users can reach the application. Which combination of services should be used?

A Security Engineer is designing access controls for a multi-cloud environment where workloads on Google Cloud need to access on-premises databases. The company wants to use long-lived credentials. Which TWO options are valid approaches? (Choose TWO.)

A company wants to enforce that all access to Cloud Storage buckets in a project is encrypted with Customer-Managed Encryption Keys (CMEK). The Security Engineer needs to configure the organization policy to meet this requirement. Which THREE steps should be taken? (Choose THREE.)

Refer to the exhibit. A Security Engineer runs the command to grant Alice access to view objects in a Cloud Storage bucket. Later, Alice reports she can no longer access the bucket after January 1, 2024. What is the most likely reason?

Network Topology
gcloud projects add-iam-policy-binding my-projectmember='user:alice@example.com'role='roles/storage.objectViewer'condition='expression=request.time < timestamp

Refer to the exhibit. A Security Engineer is reviewing the IAM policy for a project. An administrator reports that a user named admin@example.com cannot create firewall rules, even though the command should allow it. According to the policy, what is the most likely reason?

Exhibit

{
  "bindings": [
    {
      "role": "roles/compute.instanceAdmin.v1",
      "members": [
        "user:admin@example.com"
      ]
    },
    {
      "role": "roles/compute.networkAdmin",
      "members": [
        "user:admin@example.com"
      ]
    },
    {
      "role": "roles/compute.securityAdmin",
      "members": [
        "group:security-team@example.com"
      ]
    }
  ],
  "etag": "BwX9X9X9X9X="
}
Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Cloud SQL for PostgreSQL with IAM database authentication. A security engineer needs to grant a user named 'analyst@example.com' the ability to run SELECT queries on the 'orders' table. The user is a member of the group 'analysts@example.com'. What is the correct combination of IAM and database permissions?

A security engineer needs to ensure that a Compute Engine VM can securely access Cloud Storage buckets without exposing a public IP address. The VM is in a VPC with Private Google Access enabled. What is the recommended approach?

A company uses Organization Policies to restrict resource locations. They want to allow resources only in 'us-central1' and 'europe-west1'. They also need to allow a specific project to use 'us-east1' for a temporary workload. What is the correct organization policy configuration?

A company wants to implement least privilege for a service account that needs to read objects from a Cloud Storage bucket and publish messages to a Pub/Sub topic. Which TWO IAM roles should be granted to the service account? (Choose TWO)

A security team is designing access controls for a multi-tenant SaaS application on Google Kubernetes Engine (GKE). Each tenant has a separate namespace. They want to ensure that a DevOps team can manage deployments across all namespaces, but cannot modify secrets in the 'tenant-alpha' namespace. Which THREE Kubernetes RBAC resources should be created? (Choose THREE)

Refer to the exhibit. A security engineer runs the commands shown. The command 'gcloud compute instances list' fails with a permission denied error. The service account key belongs to a service account with the role 'roles/compute.viewer' on the project. What is the most likely cause?

Network Topology
gcloud auth activate-service-accountkey-file=key.jsongcloud config set project my-projectgcloud compute instances list
Question 17hardmultiple choice
Read the full VPN explanation →

Your company has a hybrid cloud environment with on-premises servers and Google Cloud. You are using Cloud VPN to connect the on-premises network to a VPC in us-central1. The on-premises network uses RFC 1918 addresses (10.0.0.0/8). The VPC has subnets in 10.0.0.0/8 as well, causing IP overlap. To resolve this, you have configured the VPC with a custom IP range of 172.16.0.0/12 and migrated some workloads. However, some legacy on-premises servers still need to access a specific set of Compute Engine VMs in the VPC. The security team requires that only authenticated service accounts from the VPC can access on-premises resources, and that traffic from on-premises to Google Cloud must be limited to specific ports (e.g., 443, 8443). You have set up a Cloud VPN tunnel with route-based VPN. What should you do to enforce these access controls?

You are a security engineer for a startup that uses Google Workspace and Google Cloud. You have been asked to allow a contractor, who has a Google account (contractor@example.com), to manage Cloud Storage buckets in a specific project. The contractor should not have access to any other resources. You create a custom role with the necessary permissions and grant it to the user at the project level. However, the contractor reports that they cannot see the project in the Cloud Console. What is the most likely reason?

A company uses Cloud Functions with a service account that has the role 'roles/cloudfunctions.invoker' to allow unauthenticated invocation. They want to change this so that only authenticated requests from a specific Cloud Scheduler job can invoke the function. The Cloud Scheduler job runs in the same project and uses a service account with the role 'roles/cloudscheduler.serviceAgent'. The security engineer updates the Cloud Function's ingress settings to 'Allow internal traffic only' and removes the 'allUsers' invoker binding. However, the Cloud Scheduler job now fails with a 403 error. What should the engineer do to fix this?

A company has deployed a multi-region Kubernetes cluster using GKE. The security team wants to ensure that only pods with a specific service account can access a Cloud Storage bucket containing sensitive data. What is the best practice to achieve this?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Configuring access within a cloud solution environment sessions

Start a Configuring access within a cloud solution environment only practice session

Every question in these sessions is drawn from the Configuring access within a cloud solution environment domain — nothing else.

Related practice questions

Related PCSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCSE exam test about Configuring access within a cloud solution environment?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Configuring access within a cloud solution environment questions in a focused session?
Yes — the session launcher on this page draws every question from the Configuring access within a cloud solution environment domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCSE topics?
Use the topic links above to move to related areas, or go back to the PCSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCSE exam covers. They are not copied from any real exam or dump site.