Professional Cloud Security Engineer · Difficulty

Hard PCSE practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 30 hard questions available — no sign-up, always free.

Question 1 of 25

A financial services company runs a CI/CD pipeline that pushes container images to Artifact Registry. Security requires that any image with a CRITICAL OS-package vulnerability must never be promoted to the production GKE cluster, while HIGH and below can proceed with tracking. The team already uses Binary Authorization with an attestor. What is the most effective way to automatically enforce this severity-based gate before deployment?

Reviewed for accuracy · Report an issue
Question 2 of 25

A healthcare company is deploying a new analytics platform on Google Cloud that must comply with a regional data sovereignty regulation requiring that all cryptographic key material be generated, stored, and controlled outside of Google's infrastructure and remain in the customer's jurisdiction. The security team has created an Assured Workloads folder configured for the appropriate compliance regime. During design review, an architect asks how encryption keys should be managed to satisfy the requirement that Google must never have access to unwrapped key material. Which approach should the team adopt?

Reviewed for accuracy · Report an issue
Question 3 of 25

A European financial services company must onboard to Google Cloud while meeting EU digital sovereignty requirements. Their legal team mandates that data storage and processing remain within EU boundaries, that Google support personnel access is restricted to EU-based staff, and that customer approval is required before any Google administrator can access data during support operations. Which approach best satisfies these compliance requirements with the least custom engineering effort?

Reviewed for accuracy · Report an issue
Question 4 of 25

Your organization enforces a Binary Authorization policy on a GKE cluster requiring attestations from your CI/CD pipeline. A security review reveals a concern: images that passed admission weeks ago may later be found to contain newly disclosed vulnerabilities, but they continue running in the cluster because the policy is only evaluated at Pod creation time. The security team wants ongoing assurance that running Pods still comply with the Binary Authorization policy, and to be alerted when they drift out of compliance, without blocking currently running workloads. What should you do?

Reviewed for accuracy · Report an issue
Question 5 of 25

A media company serves static video thumbnails through a global external Application Load Balancer with Cloud CDN enabled. Their security team wants to filter requests based on source IP address and geographic region BEFORE any content is served from the CDN cache, so that malicious or out-of-region requests never reach cached or backend content. Which Cloud Armor configuration meets this requirement?

Reviewed for accuracy · Report an issue
Question 6 of 25

Your organization uses an on-premises Active Directory as the authoritative source for identities. You have deployed Google Cloud Directory Sync (GCDS) to provision users into Cloud Identity, and SSO is federated to your AD FS provider via SAML. An employee is terminated and their account is disabled in Active Directory. Security requires that this person can no longer authenticate to any Google Cloud resource. What is the correct outcome you should expect and configure to guarantee immediate loss of access?

Reviewed for accuracy · Report an issue
Question 7 of 25

A financial services company runs a fleet of 200 backend VMs (no external IPs) in a single subnet. These VMs make a very high volume of outbound API calls to a small number of external partner endpoints. Operations reports intermittent connection failures, and Cloud NAT logs show numerous 'OUT_OF_RESOURCES' drop entries for allocation, even though CPU and network throughput are well within limits. The team needs to resolve the failures without adding public IPs to the VMs. What is the most effective action?

Reviewed for accuracy · Report an issue
Question 8 of 25

A financial services company stores highly regulated customer data in BigQuery and Cloud Storage, encrypted with Cloud KMS CMEK keys. Auditors require that any time Google or an internal automated process attempts to use these keys to decrypt data, the company can review the stated reason for access and automatically deny requests that lack an approved business justification. Which Cloud KMS capability should the security engineer configure to meet this requirement?

Reviewed for accuracy · Report an issue
Question 9 of 25

A financial services company must comply with a regulation requiring that the cryptographic keys protecting customer data in BigQuery and Cloud Storage be generated on the company's on-premises FIPS 140-2 Level 3 hardware security module and never exist in software form inside Google Cloud. The company still wants to use Cloud KMS to manage the key lifecycle and reference the keys as CMEK on Google Cloud resources. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 25

A data governance team needs a group of auditors to list all Cloud Storage buckets in a project and view each bucket's IAM policy and configuration metadata, but they must NOT be able to read the objects stored inside any bucket. The security engineer wants to grant the narrowest possible access. Which approach best satisfies least privilege?

Reviewed for accuracy · Report an issue
Question 11 of 25

A data engineering team at a healthcare analytics company must de-identify a customer email address column before loading data into BigQuery for analysts. Requirements: (1) the same email must always produce the same token so analysts can perform GROUP BY joins across tables, (2) the wrapped cryptographic key used for tokenization must never be embedded in the Sensitive Data Protection (DLP) template or stored in plaintext, and (3) the security team must be able to rotate the key material centrally. Which configuration satisfies all requirements?

Reviewed for accuracy · Report an issue
Question 12 of 25

A healthcare analytics team wants to load customer records containing credit card numbers into BigQuery for fraud analysis. The data scientists must be able to correlate transactions belonging to the same card across different tables (referential integrity), and an authorized security team must occasionally re-identify specific cards during confirmed fraud investigations. The solution should keep the tokenized values in the same numeric format as the original card numbers so downstream schemas remain unchanged. Which Sensitive Data Protection (DLP) de-identification technique should you configure?

Reviewed for accuracy · Report an issue
Question 13 of 25

A financial services company is migrating to Google Cloud and needs a dedicated, high-bandwidth (10 Gbps) connection between their on-premises data center and their VPC. A compliance requirement mandates that all traffic traversing the connection between on-premises and Google Cloud must be encrypted in transit. The company wants the lowest-latency dedicated option while still meeting the encryption requirement. Which approach should they implement?

Reviewed for accuracy · Report an issue
Question 14 of 25

Your organization has thousands of projects and a broad set of principals who hold roles that include storage.buckets.delete and compute.instances.delete permissions through various inherited and directly-granted IAM roles. Security leadership mandates that no principal — regardless of any role grant, including at the project level — may delete Cloud Storage buckets across the entire organization, except for a break-glass group named org-admins@example.com. You want a centrally enforced control that overrides existing allow grants without editing every role or policy. What should you do?

Reviewed for accuracy · Report an issue
Question 15 of 25

Your security operations team receives a Security Command Center finding indicating a Compute Engine VM in a production project is communicating with a known cryptomining command-and-control endpoint. The incident response runbook requires that you preserve volatile and disk evidence for forensic analysis while immediately stopping the malicious outbound traffic, and you must minimize the risk of the attacker detecting your response. Which sequence of actions best meets these requirements?

Reviewed for accuracy · Report an issue
Question 16 of 25

During an active investigation, your security team suspects that a compromised service account was used to modify and delete objects in a Cloud Storage bucket over the past several days. Legal requires that all relevant Cloud Logging entries be preserved in a tamper-resistant, immutable form for potential litigation, and the retention must survive any attempt by an attacker with project-level permissions to delete logs. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 17 of 25

A financial services company runs an internal HTTP(S) API on Compute Engine instances in a producer VPC. Multiple consumer teams in separate VPCs, plus an on-premises data center connected via Cloud Interconnect, need to reach this API. Security requires that all traffic stay on Google's private network with no exposure to the internet, and that the producer team explicitly control which consumer projects can connect. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 18 of 25

A financial services company has a Google Cloud organization with a dedicated 'networking' folder containing Shared VPC host projects. The security team discovers that a developer in a separate 'apps' folder was able to attach their service project to a Shared VPC host project without approval. The team wants to ensure that only specifically designated host projects can be used as Shared VPC hosts across the organization, blocking all others by default. Which approach should they take?

Reviewed for accuracy · Report an issue
Question 19 of 25

A financial services company runs on-premises servers connected to a Google Cloud VPC through a Dedicated Interconnect. These servers must call Cloud Storage and BigQuery APIs, but corporate security policy forbids any traffic to Google APIs from traversing the public internet, and the on-premises hosts have no external IPs. DNS resolution for googleapis.com currently returns public IP addresses. What should the security engineer configure to meet these requirements?

Reviewed for accuracy · Report an issue
Question 20 of 25

A financial services company runs Compute Engine instances in a VPC with no external IP addresses and an organization policy that blocks external IPs. The instances must reach Google APIs such as Cloud Storage and BigQuery, but the security team requires that traffic use a private internal IP endpoint that they fully control and can reference in firewall rules and DNS, rather than the default public API domains. They also want to avoid routing this traffic over the internet or through Cloud NAT. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 21 of 25

A SaaS provider (the producer) runs a managed data-processing service in their own VPC. For certain workloads, the producer's service instances must initiate outbound connections into a customer's (consumer's) VPC to reach an on-prem database exposed through the consumer network — while keeping the traffic on Google's backbone and avoiding VPC Peering, which would create IP overlap and full route exchange. The producer wants a network interface that lets their instances originate traffic into the consumer VPC with controlled, one-directional reachability. Which Private Service Connect construct should the producer use?

Reviewed for accuracy · Report an issue
Question 22 of 25

A fintech company stores database credentials and API tokens in Secret Manager. Their security policy requires that (1) all secret payloads be encrypted with keys the company controls and can audit, and (2) the credentials must never leave the EU region for data-residency compliance. A developer needs read access to only one specific secret without being granted access to all secrets in the project. Which combination of configurations satisfies all these requirements?

Reviewed for accuracy · Report an issue
Question 23 of 25

A data engineering team runs an on-premises batch job that must call the BigQuery API in Google Cloud. Security policy prohibits downloading and distributing long-lived service account key files. The on-premises environment cannot be enrolled in workload identity federation because it uses a legacy authentication broker that already holds valid Google credentials for a central automation service account. The team needs the batch job to act as a dedicated BigQuery service account without any exported key material. What is the most appropriate way to grant this access?

Reviewed for accuracy · Report an issue
Question 24 of 25

A retail company uses a Shared VPC where the network team owns the host project and application teams deploy Compute Engine instances into attached service projects. The security team wants application teams to be able to target their own VM instances with firewall rules WITHOUT granting them the ability to create or modify firewall rules directly, and without relying on network tags that any instance owner could freely apply. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 25 of 25

A financial services company stores sensitive customer records in BigQuery and Cloud Storage across three projects. Security wants to guarantee that even if a valid service account credential is stolen, data cannot be queried or copied from outside the corporate environment. They also need engineers who work from the on-premises data center (accessing Google APIs through a Dedicated Interconnect) to continue analyzing the data without disruption. Which approach best establishes this data-exfiltration boundary?

Reviewed for accuracy · Report an issue