PCSE · topic practice

Managing operations in a cloud solution environment practice questions

Practise Google Professional Cloud Security Engineer Managing operations in a cloud solution environment practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Managing operations in a cloud solution environment

What the exam tests

What to know about Managing operations in a cloud solution environment

Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.

IaaS, PaaS and SaaS responsibilities and examples.

Public, private, hybrid and community cloud deployment models.

On-premises vs cloud trade-offs: cost, control, scalability.

How cloud connectivity options (VPN, Direct Connect, ExpressRoute) work.

Watch out for

Common Managing operations in a cloud solution environment exam traps

  • IaaS gives you infrastructure control; SaaS gives you only the application.
  • Hybrid cloud combines on-premises and public cloud — not two public clouds.
  • Cloud does not automatically mean cheaper or more secure.
  • Management responsibility shifts with each service model (IaaSPaaSSaaS).

Practice set

Managing operations in a cloud solution environment questions

20 questions · select your answer, then reveal the explanation

A security engineer needs to investigate a potential data exfiltration incident in a Google Cloud environment. The engineer has access to Cloud Logging and wants to identify any unusual outbound network traffic from Compute Engine instances. Which log sink filter should the engineer create to capture VPC flow logs for traffic destined to an external IP address not in the internal network ranges?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company runs a sensitive application on Google Kubernetes Engine (GKE) with Workload Identity enabled. Security policy requires that only pods with a specific service account can access a Cloud Storage bucket containing customer data. The bucket has uniform bucket-level access enabled. What is the correct combination of IAM bindings to achieve this?

A security engineer is tasked with automating the remediation of non-compliant resources in a Google Cloud organization. The organization uses Organization Policy Service to enforce constraints. The engineer needs to automatically disable a specific service (e.g., Compute Engine API) for a project that violates a policy. Which Google Cloud service should be used to trigger this remediation?

A company is migrating to Google Cloud and wants to ensure that all service account keys are rotated automatically every 90 days. The security engineer needs to implement a solution that detects keys older than 90 days and notifies the security team. What is the most efficient way to achieve this?

Question 5hardmultiple choice
Read the full VPN explanation →

A security engineer is configuring VPC Service Controls to protect a Google Cloud project containing sensitive data. The project uses Cloud Storage and BigQuery. The engineer wants to ensure that data cannot be exfiltrated to external IP addresses outside the perimeter, but internal users should still be able to access the data from on-premises via a VPN. Which configuration should be applied?

A security engineer is investigating a potential data breach in a Google Cloud environment. The engineer suspects that a compromised service account key was used to access Cloud Storage buckets. Which TWO actions should the engineer take immediately to mitigate the risk?

A security engineer is designing a solution to monitor and detect anomalous IAM role usage across multiple Google Cloud projects. The engineer wants to create a centralized logging solution that captures all IAM policy changes and access attempts. Which THREE services should the engineer use together to achieve this?

A security engineer is reviewing a log entry in Cloud Logging with the above filter. The engineer wants to understand why this specific log entry was generated. Which action most likely caused this log entry?

Exhibit

Refer to the exhibit.

```
resource.type = "gce_instance"
resource.labels.instance_id = "1234567890123456789"
severity = "ERROR"
log_name = "projects/my-project/logs/compute.googleapis.com%2Factivity_log"
```

A security engineer is reviewing the IAM policy of a Cloud Storage bucket that contains sensitive data. The exhibit shows the current policy. A developer reports that they can read objects in the bucket using service account sa-2, but they cannot delete objects. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "serviceAccount:sa-1@project.iam.gserviceaccount.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "serviceAccount:sa-2@project.iam.gserviceaccount.com"
      ]
    }
  ]
}
```

A company runs a critical application on Compute Engine instances in a managed instance group (MIG) behind an external TCP/UDP Network Load Balancer. The security team requires that all traffic to the instances be inspected by a third-party next-generation firewall (NGFW) that is not yet deployed. Which architecture should the security engineer implement to meet the requirement with minimal disruption to traffic?

A security engineer is designing a VPC Service Controls perimeter to protect a project containing sensitive data stored in Cloud Storage and BigQuery. The perimeter currently allows access from an on-premises data center via private connectivity (Cloud Interconnect). The business requires that a third-party SaaS application (outside the perimeter) be able to write data into a specific Cloud Storage bucket. Which action should the engineer take?

An organization uses Cloud Audit Logs to monitor admin activity. The security team wants to be alerted when a user creates a new IAM role at the organization level. Which type of audit log should they analyze?

A company is migrating its on-premises Microsoft Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They need to ensure that users can authenticate to Compute Engine Windows instances using their on-premises credentials without additional user setup. What is the most secure and scalable approach?

A security engineer is troubleshooting a connectivity issue between two VPCs connected via VPC Network Peering. VPC-A (project A) has a Compute Engine instance with internal IP 10.1.0.2. VPC-B (project B) has an instance with internal IP 10.2.0.2. The engineer has verified that the peering connection is active and the firewall rules allow ingress from 10.1.0.0/16. However, the instance in VPC-B cannot ping the instance in VPC-A. What is the most likely cause?

A security engineer is configuring Cloud Armor to protect a global external HTTP(S) Load Balancer. Which TWO of the following are valid Cloud Armor security policies? (Choose two.)

An organization wants to enforce data loss prevention (DLP) for sensitive data stored in Cloud Storage. Which THREE of the following Google Cloud services can be used together to inspect, classify, and automatically redact sensitive data in Cloud Storage? (Choose three.)

Refer to the exhibit. A security engineer runs the command to view recent decrypt operations on a Cloud KMS key. The output shows a successful decryption. However, the engineer is concerned about the exposure of the plaintext. Based on the log entry, what is the most accurate statement regarding the visibility of the decrypted plaintext?

Exhibit

Refer to the exhibit.

```
$ gcloud logging read "logName=projects/my-project/logs/cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName=google.cloud.kms.v1.Decrypt" --limit 5

---
insertId: 1a2b3c4d5e
logName: projects/my-project/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
  @type: type.googleapis.com/google.cloud.audit.AuditLog
  authenticationInfo:
    principalEmail: user@example.com
  methodName: google.cloud.kms.v1.Decrypt
  resourceName: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1
  response:
    plaintext: "REDACTED"
  serviceName: cloudkms.googleapis.com
  status: {}
resource:
  labels:
    key_id: my-key
    location: global
    key_ring: my-keyring
  type: cloudkms_crypto_key
severity: NOTICE
```
Question 18easymultiple choice
Read the full NAT/PAT explanation →

A security engineer is troubleshooting an issue where a Compute Engine VM cannot connect to a Cloud SQL instance that has a private IP address. Both resources are in the same VPC network. The VM's firewall rules allow egress to any destination, and the Cloud SQL instance's authorized networks include the VPC network. What is the most likely cause of the connection failure?

A company is using Cloud Armor to protect their HTTP(S) load balancer. They have configured a security policy with a rule to block traffic from a specific IP address (10.0.0.1/32). During testing, they observe that requests from that IP are still reaching the backend. What is the most likely reason?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company runs a PCI DSS-compliant workload on Google Cloud. They use a service account with roles/container.clusterAdmin to manage a GKE cluster. The security team has enabled Binary Authorization with a policy that requires all container images to be signed by a trusted authority. Recently, a developer reported that a new deployment failed with the error: 'Image verification failed: no signature found for digest sha256:abc...'. The image is stored in Artifact Registry and the developer built it using Cloud Build with a trigger that automatically signs images using Cloud KMS. The Cloud Build service account has roles/cloudkms.signerVerifier and roles/binaryauthorization.attestorsViewer. The Binary Authorization policy is configured to require at least one attestation from the trusted attestor. What is the most likely reason for the failure?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Managing operations in a cloud solution environment sessions

Start a Managing operations in a cloud solution environment only practice session

Every question in these sessions is drawn from the Managing operations in a cloud solution environment domain — nothing else.

Related practice questions

Related PCSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCSE exam test about Managing operations in a cloud solution environment?
Cloud concepts questions usually test the service model (IaaS/PaaS/SaaS) and deployment model (public/private/hybrid/community) appropriate for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Managing operations in a cloud solution environment questions in a focused session?
Yes — the session launcher on this page draws every question from the Managing operations in a cloud solution environment domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCSE topics?
Use the topic links above to move to related areas, or go back to the PCSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCSE exam covers. They are not copied from any real exam or dump site.