PCSE cheat sheet
A one-page reference for the Professional Cloud Security Engineer exam: the format, how the domains are weighted, and the glossary terms for this exam.
Exam at a glance
Vendor
Google Cloud
Level
Professional
Questions
50
Time
120 min
Mock pass mark
70%
Domains
5
Practice Qs
152
Code
PCSE
Domain weightings
How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.
Key terms
- Identity and Access Management
- Identity and Access Management (IAM) is the Google Cloud service that controls who can do what on which resources through roles bound to identities. PCSE covers it as the core of the configuring-access domain.
- Cloud Identity
- Cloud Identity is Google's identity-as-a-service platform for managing users, groups, and devices, with single sign-on and directory sync. PCSE covers it when configuring access.
- Service account
- A service account is a special Google Cloud identity used by applications and workloads rather than people to authenticate and access resources. PCSE covers managing service accounts and their keys under configuring access.
- Workload Identity Federation
- Workload Identity Federation is a Google Cloud capability that lets external workloads access resources using short-lived credentials without service-account keys. PCSE covers it for secure access configuration.
- VPC Service Controls
- VPC Service Controls is a Google Cloud feature that creates a security perimeter around managed services to mitigate data exfiltration. PCSE covers it for establishing boundary protection.
- Cloud Armor
- Cloud Armor is Google Cloud's web-application-firewall and DDoS-protection service applied at the edge and load balancer. PCSE covers it for securing communications and boundary protection.
- Private Service Connect
- Private Service Connect is a Google Cloud capability for privately reaching services across VPC networks without exposing traffic to the internet. PCSE covers it for private connectivity and boundary protection.
- Cloud Key Management Service
- Cloud Key Management Service (Cloud KMS) is the Google Cloud service for creating and managing cryptographic keys, including customer-managed encryption keys and rotation. PCSE covers it as central to ensuring data protection.
- Customer-managed encryption key
- A customer-managed encryption key (CMEK) is an encryption key that the customer creates and controls in Cloud KMS to protect Google Cloud data. PCSE covers CMEK, CSEK, and Cloud HSM in the data-protection domain.
- Sensitive Data Protection
- Sensitive Data Protection (formerly Cloud DLP) is a Google Cloud service for discovering, classifying, and de-identifying sensitive data. PCSE covers it for protecting sensitive data.
- Secret Manager
- Secret Manager is a Google Cloud service for securely storing, versioning, and accessing secrets such as API keys and credentials. PCSE covers it for controlling access to secrets in the data-protection domain.
- Security Command Center
- Security Command Center is Google Cloud's centralized security and risk-management platform for surfacing misconfigurations, vulnerabilities, and threats. PCSE covers it for logging, monitoring, and detection under managing operations.
- Cloud Logging
- Cloud Logging is Google Cloud's managed service for storing, searching, and analyzing log data, including audit logs. PCSE covers it for detection and for supporting compliance requirements.
- Assured Workloads
- Assured Workloads is a Google Cloud service that enforces compliance controls and data-residency requirements for regulated workloads. PCSE covers it for supporting compliance requirements.