Professional Cloud Security Engineer · Domain 1 · 25% of exam

Configuring access

Drill 20 practice questions focused entirely on Configuring access for the Google Cloud PCSE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A company uses Okta as its primary identity provider and Google Cloud with Cloud Identity for its cloud resources. The security team wants new employees added in Okta to be automatically created as Cloud Identity users, and departing employees to be automatically suspended in Cloud Identity when disabled in Okta — all without deploying or maintaining any server infrastructure on-premises. Which approach should they implement?

Reviewed for accuracy · Report an issue
Question 2 of 20

Your organization uses an on-premises Active Directory as the authoritative source for identities. You have deployed Google Cloud Directory Sync (GCDS) to provision users into Cloud Identity, and SSO is federated to your AD FS provider via SAML. An employee is terminated and their account is disabled in Active Directory. Security requires that this person can no longer authenticate to any Google Cloud resource. What is the correct outcome you should expect and configure to guarantee immediate loss of access?

Reviewed for accuracy · Report an issue
Question 3 of 20

A financial services company uses Cloud Identity as its identity provider and has hundreds of employees who frequently change roles between the 'Data Analysts', 'Data Engineers', and 'Auditors' teams. The security team is frustrated because IAM bindings are granted directly to individual user accounts, causing access drift and lengthy offboarding when people move teams. They want a scalable approach that lets access follow team membership and simplifies audits. What should they implement?

Reviewed for accuracy · Report an issue
Question 4 of 20

Your organization already manages employee identities in an on-premises Active Directory and a third-party identity provider (Okta) that supports SAML 2.0. Leadership wants employees to sign in to Google Cloud using their existing Okta credentials, and wants Okta to remain the authoritative source for authentication. You must ensure that when users authenticate, they are redirected to Okta and that Google Cloud does not store or validate their passwords. What should you configure?

Reviewed for accuracy · Report an issue
Question 5 of 20

Your organization recently adopted Google Cloud with Cloud Identity. The security team is concerned that the highly privileged super administrator accounts could be phished or compromised, leading to a full takeover of the Google Cloud organization. Which combination of practices best protects these super admin accounts while keeping them available for emergency use?

Reviewed for accuracy · Report an issue
Question 6 of 20

A data governance team needs a group of auditors to list all Cloud Storage buckets in a project and view each bucket's IAM policy and configuration metadata, but they must NOT be able to read the objects stored inside any bucket. The security engineer wants to grant the narrowest possible access. Which approach best satisfies least privilege?

Reviewed for accuracy · Report an issue
Question 7 of 20

A financial services company uses Google Cloud across an organization node. During a security review, the team discovers that engineers have been sharing Cloud Storage buckets and IAM roles with Gmail accounts and external contractor domains. Leadership mandates that going forward, IAM policies may only grant access to identities belonging to the company's own Cloud Identity account and one approved partner's Cloud Identity account. Which approach enforces this requirement across all current and future projects with the least ongoing maintenance?

Reviewed for accuracy · Report an issue
Question 8 of 20

Your company runs its CI/CD pipeline on an external SaaS platform (GitHub Actions) that is outside Google Cloud. The pipeline needs to deploy artifacts to a Cloud Storage bucket and update a Cloud Run service in your Google Cloud project. Your security team has a strict policy prohibiting the creation and download of long-lived service account keys. What is the most secure approach to grant the external pipeline access to these Google Cloud resources?

Reviewed for accuracy · Report an issue
Question 9 of 20

A data analytics team at your company needs to run and manage BigQuery jobs and query datasets in a shared project. A junior engineer proposes granting the team's Google group the roles/editor basic role on the project so the work is unblocked quickly. Your security team requires that all access follow least privilege while still enabling the team to fully perform their BigQuery work. What should you recommend?

Reviewed for accuracy · Report an issue
Question 10 of 20

A financial services company runs a production project in Google Cloud. During a scheduled quarterly maintenance window, a contractor named Dana needs the ability to restart Compute Engine instances, but only for a 48-hour period this weekend. Company policy mandates least privilege and prohibits granting standing access to contractors. Dana already has a Cloud Identity account. What is the most appropriate way to grant this access?

Reviewed for accuracy · Report an issue
Question 11 of 20

Your organization has thousands of projects and a broad set of principals who hold roles that include storage.buckets.delete and compute.instances.delete permissions through various inherited and directly-granted IAM roles. Security leadership mandates that no principal — regardless of any role grant, including at the project level — may delete Cloud Storage buckets across the entire organization, except for a break-glass group named org-admins@example.com. You want a centrally enforced control that overrides existing allow grants without editing every role or policy. What should you do?

Reviewed for accuracy · Report an issue
Question 12 of 20

A security engineer at a retail company reviews an IAM issue. A developer, dev@example.com, unexpectedly has the ability to view logs in the project 'prod-payments'. The engineer confirms the project-level IAM policy for 'prod-payments' does NOT grant dev@example.com any role. However, the developer can still read logs. Which of the following is the MOST likely explanation and where the engineer should look next?

Reviewed for accuracy · Report an issue
Question 13 of 20

A data analyst reports she can no longer download objects from a Cloud Storage bucket named 'analytics-exports' in the project 'data-prod'. She belongs to three Google Groups, and IAM bindings exist at the organization, folder, and project levels. You need to determine exactly which allow or deny policy is granting or blocking her 'storage.objects.get' permission on that specific bucket, with the least manual effort. What should you do?

Reviewed for accuracy · Report an issue
Question 14 of 20

A security engineer at a financial services company is performing a quarterly access review. A data analyst was granted the roles/editor role on the analytics project six months ago, but audit logs show they have only ever read BigQuery datasets and viewed Cloud Storage objects. Leadership wants to enforce least privilege while avoiding disruption to the analyst's legitimate work. Which approach should the engineer use to most efficiently right-size this access based on actual usage?

Reviewed for accuracy · Report an issue
Question 15 of 20

A company organizes its GCP resources with an organization node, a 'Production' folder, and a 'Sandbox' folder. At the organization level, the security team sets the 'constraints/compute.vmExternalIpAccess' list constraint to deny all values, preventing external IPs on VMs. The development team needs VMs with external IPs only within a specific project inside the 'Sandbox' folder for a public demo, without weakening the restriction anywhere else. What is the most appropriate way to achieve this?

Reviewed for accuracy · Report an issue
Question 16 of 20

Your company runs a production billing project in Google Cloud that contains critical revenue-processing resources. Leadership is concerned that an engineer with the Owner role could accidentally delete the entire project. Security must ensure that no one can delete this specific project until an explicit protective control is removed, while still allowing normal day-to-day resource management to continue. Which action best meets this requirement?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services company must ensure that all Compute Engine and Cloud Storage resources are created only in European regions to meet data residency requirements. The security team wants a preventive control enforced across the entire organization that blocks resource creation in any non-approved region, without relying on developers to remember the policy. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 18 of 20

Your organization has a folder named 'production' containing dozens of projects. Security requires that Compute Engine VMs may only be created with Shielded VM enabled, but a separate 'sandbox' folder must remain exempt so engineers can test legacy images. You want to enforce this using organization policy with the least ongoing administrative effort and without modifying individual project configurations. What should you do?

Reviewed for accuracy · Report an issue
Question 19 of 20

A financial services company has a Google Cloud organization with a dedicated 'networking' folder containing Shared VPC host projects. The security team discovers that a developer in a separate 'apps' folder was able to attach their service project to a Shared VPC host project without approval. The team wants to ensure that only specifically designated host projects can be used as Shared VPC hosts across the organization, blocking all others by default. Which approach should they take?

Reviewed for accuracy · Report an issue
Question 20 of 20

A financial services company runs all production workloads in a single GCP folder called 'prod'. A recent audit found that several Compute Engine VMs were created with external IP addresses, violating the company's policy that production instances must only be reachable through internal networking and Cloud NAT. The security team wants to prevent any future VM in the 'prod' folder from being assigned an external IP, while allowing developers in a separate 'sandbox' folder to continue using external IPs for testing. What is the most effective way to enforce this?

Reviewed for accuracy · Report an issue

More PCSE practice

Keep going with the other Professional Cloud Security Engineer domains, or take a full timed mock exam.

← Back to PCSE overview