PCSE · topic practice

Scenario practice questions

Practise Google Professional Cloud Security Engineer Scenario practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
7 questionsDomain: Scenario

What the exam tests

What to know about Scenario

Scenario questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Scenario exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Scenario questions

7 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A security team needs to enforce that only requests originating from a corporate IP range (203.0.113.0/24) can access a Cloud Storage bucket containing sensitive data. They have created a custom IAM role with storage.objects.get permission and attached a condition that requires the request to have a specific IP address. However, some legitimate users outside the IP range are unable to access the data. What is the most likely cause?

Question 2mediummultiple choice
Read the full Scenario explanation →

Refer to the exhibit. A security engineer runs the gcloud command to analyze IAM policy for a user in an organization. The output shows that the user has the 'compute.instances.create' permission via a role at the organization level. However, the user is unable to create Compute Engine instances in a specific project. What is the most likely cause?

Network Topology
gcloud asset analyze-iam-policyproject=my-project \organization=123456789012 \resource='//cloudresourcemanager.googleapis.com/projects/123456789012' \identity='user:alice@example.com' \permissions='compute.instances.create'Refer to the exhibit.
Question 3hardmultiple choice
Read the full Scenario explanation →

A company uses a shared VPC with multiple service projects. A security administrator created an organization policy with the constraint 'gcp.resourceLocations' to restrict Cloud SQL instance creation to only the 'us-central1' region. The policy is applied at the organization level. A Cloud SQL administrator is using a service account with the predefined role 'roles/cloudsql.admin' (also granted at the organization level) to create instances. Despite the organization policy, the service account successfully creates a Cloud SQL instance in the 'europe-west1' region. The administrator verifies that the organization policy is active and the constraint is enforced. What is the most likely reason the policy is not preventing the creation?

Question 4mediummultiple choice
Read the full Scenario explanation →

A company uses Cloud Storage buckets to store sensitive data. They want to allow a third-party auditor to list bucket contents but not download the objects. Which IAM role should be assigned?

Question 5easymultiple choice
Read the full Scenario explanation →

A company in the EU is moving to Google Cloud and must comply with GDPR data residency requirements. They have users across multiple EU countries and want to ensure that personal data remains within the European Economic Area (EEA). They plan to use Cloud Storage, BigQuery, and Compute Engine. The security administrator sets organization policies to restrict resource locations to europe-west1, europe-west3, and europe-west4. After deploying applications, the compliance team finds that some data is stored in a Cloud Storage bucket in us-central1. Investigation shows that the bucket was created by a developer who manually chose the region. The organization policy seems to have been bypassed. The administrator confirms the policy is active and applied to the project. What is the most likely cause?

Question 6mediummultiple choice
Read the full Scenario explanation →

A company has deployed an internal HTTP Load Balancer (ILB) in us-west1 within a Shared VPC. The host project contains the ILB's forwarding rule and the backend service. The backend instances are Compute Engine VMs running in a service project in us-east1. The health checks for the ILB are consistently failing with 'unhealthy' status. The firewall rules in the host project allow ingress from the Google Cloud health checker ranges (130.211.0.0/22 and 35.191.0.0/16) on TCP port 80 to all VMs in the VPC. The backend VMs are running a web server listening on port 80. What is the most likely cause of the health check failures?

Question 7easymultiple choice
Read the full Scenario explanation →

Your company runs a data analytics platform on Google Cloud that processes sensitive financial data. Data is ingested from various sources into a Cloud Storage bucket, then processed by Dataflow jobs, and final results are stored in BigQuery. You have implemented the following security controls: - VPC Service Controls perimeter around the project - Cloud KMS CMEK for all storage services - IAM conditions restricting access based on tags - Cloud Audit Logs enabled for all services

Recently, an auditor discovered that a compromised service account was able to read data from the Cloud Storage bucket even though it was outside the VPC Service Controls perimeter. The auditor reviewed the logs and found that the access came from a Compute Engine instance that was running within the same project. What is the most likely reason the VPC Service Controls perimeter did not block this access?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Scenario sessions

Start a Scenario only practice session

Every question in these sessions is drawn from the Scenario domain — nothing else.

Related practice questions

Related PCSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCSE exam test about Scenario?
Scenario questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Scenario questions in a focused session?
Yes — the session launcher on this page draws every question from the Scenario domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCSE topics?
Use the topic links above to move to related areas, or go back to the PCSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCSE exam covers. They are not copied from any real exam or dump site.