[PCSE] Google Cloud Certified Professional
Cloud Security Engineer Certification
Review Guide
**Question 1.** Which Google Cloud service synchronizes on‑premises Active Directory users
and groups to Cloud Identity or G Suite?
A) Cloud Identity‑Aware Proxy
B) Google Cloud Directory Sync (GCDS)
C) Cloud Identity‑Based Access Management
D) Cloud Identity‑Federation API
Answer: B
Explanation: GCDS reads from an on‑prem AD and writes the objects to Cloud Identity, keeping
the cloud directory in sync with the corporate directory.
**Question 2.** In a Google Cloud Organization hierarchy, which of the following inherits
policies from its parent by default?
A) Projects only
B) Folders only
C) Both folders and projects
D) Neither folders nor projects
Answer: C
Explanation: IAM policies and Organization Policy constraints are inherited from the
Organization to folders and then to projects unless explicitly overridden.
**Question 3.** Which IAM role type provides the most granular permissions and can be
tailored to a specific set of actions?
A) Primitive role
B) Predefined role
C) Custom role
, [PCSE] Google Cloud Certified Professional
Cloud Security Engineer Certification
Review Guide
D) Service account role
Answer: C
Explanation: Custom roles let you select exactly the permissions needed, achieving the principle
of least privilege.
**Question 4.** What is the recommended method for protecting a service account key that
must be used by a CI/CD pipeline?
A) Store the key in a public GitHub repository
B) Encrypt the key with Cloud KMS and store in Secret Manager
C) Hard‑code the key in the pipeline script
D) Use a long‑lived JSON key file on the build server
Answer: B
Explanation: Encrypting the key with Cloud KMS and storing it in Secret Manager ensures it is
protected at rest and accessed securely by the pipeline.
**Question 5.** Which IAM feature allows you to grant access to a resource only during a
specific time window?
A) IAM Conditions
B) Service Account Impersonation
C) Organization Policy Constraints
D) VPC Service Controls
Answer: A
Explanation: IAM Conditions support attribute‑based access control, including time‑based
constraints.
, [PCSE] Google Cloud Certified Professional
Cloud Security Engineer Certification
Review Guide
**Question 6.** When implementing SAML‑based Single Sign‑On for Google Cloud, which
component validates the SAML assertion?
A) Cloud Identity
B) Cloud IAM
C) Cloud Resource Manager
D) Cloud Load Balancing
Answer: A
Explanation: Cloud Identity processes SAML assertions from the Identity Provider to
authenticate users.
**Question 7.** Which of the following is a best practice for enforcing multi‑factor
authentication for all privileged accounts?
A) Require MFA only for console logins
B) Enable MFA for the super‑admin role only
C) Enforce MFA via an Organization Policy constraint
D) Use a third‑party MFA solution without integration
Answer: C
Explanation: An Organization Policy can enforce MFA for all users or specific groups, ensuring
consistent enforcement across the organization.
**Question 8.** In a Shared VPC, who can create subnets that are usable by service projects?
A) Only the host project owner
B) Any member of the service project with Compute Network Admin role
C) Only members with the Shared VPC Admin role in the host project
D) All users in the organization by default
, [PCSE] Google Cloud Certified Professional
Cloud Security Engineer Certification
Review Guide
Answer: C
Explanation: The Shared VPC Admin role in the host project grants permission to create and
manage subnets that service projects can use.
**Question 9.** Which firewall rule direction is used to block outbound traffic from a Compute
Engine instance to the internet?
A) Ingress rule with deny priority
B) Egress rule with deny priority
C) Ingress rule with allow priority
D) Egress rule with allow priority
Answer: B
Explanation: Egress firewall rules control outbound traffic; a deny rule blocks the specified
traffic.
**Question 10.** How can you restrict a firewall rule to apply only to instances that run a
specific service account?
A) Use network tags only
B) Use service account‑based firewall filtering
C) Use IAM conditions on the firewall rule
D) Use VPC Service Controls
Answer: B
Explanation: Google Cloud firewall rules can be filtered by the service account attached to the
instance, limiting the rule’s scope.
Cloud Security Engineer Certification
Review Guide
**Question 1.** Which Google Cloud service synchronizes on‑premises Active Directory users
and groups to Cloud Identity or G Suite?
A) Cloud Identity‑Aware Proxy
B) Google Cloud Directory Sync (GCDS)
C) Cloud Identity‑Based Access Management
D) Cloud Identity‑Federation API
Answer: B
Explanation: GCDS reads from an on‑prem AD and writes the objects to Cloud Identity, keeping
the cloud directory in sync with the corporate directory.
**Question 2.** In a Google Cloud Organization hierarchy, which of the following inherits
policies from its parent by default?
A) Projects only
B) Folders only
C) Both folders and projects
D) Neither folders nor projects
Answer: C
Explanation: IAM policies and Organization Policy constraints are inherited from the
Organization to folders and then to projects unless explicitly overridden.
**Question 3.** Which IAM role type provides the most granular permissions and can be
tailored to a specific set of actions?
A) Primitive role
B) Predefined role
C) Custom role
, [PCSE] Google Cloud Certified Professional
Cloud Security Engineer Certification
Review Guide
D) Service account role
Answer: C
Explanation: Custom roles let you select exactly the permissions needed, achieving the principle
of least privilege.
**Question 4.** What is the recommended method for protecting a service account key that
must be used by a CI/CD pipeline?
A) Store the key in a public GitHub repository
B) Encrypt the key with Cloud KMS and store in Secret Manager
C) Hard‑code the key in the pipeline script
D) Use a long‑lived JSON key file on the build server
Answer: B
Explanation: Encrypting the key with Cloud KMS and storing it in Secret Manager ensures it is
protected at rest and accessed securely by the pipeline.
**Question 5.** Which IAM feature allows you to grant access to a resource only during a
specific time window?
A) IAM Conditions
B) Service Account Impersonation
C) Organization Policy Constraints
D) VPC Service Controls
Answer: A
Explanation: IAM Conditions support attribute‑based access control, including time‑based
constraints.
, [PCSE] Google Cloud Certified Professional
Cloud Security Engineer Certification
Review Guide
**Question 6.** When implementing SAML‑based Single Sign‑On for Google Cloud, which
component validates the SAML assertion?
A) Cloud Identity
B) Cloud IAM
C) Cloud Resource Manager
D) Cloud Load Balancing
Answer: A
Explanation: Cloud Identity processes SAML assertions from the Identity Provider to
authenticate users.
**Question 7.** Which of the following is a best practice for enforcing multi‑factor
authentication for all privileged accounts?
A) Require MFA only for console logins
B) Enable MFA for the super‑admin role only
C) Enforce MFA via an Organization Policy constraint
D) Use a third‑party MFA solution without integration
Answer: C
Explanation: An Organization Policy can enforce MFA for all users or specific groups, ensuring
consistent enforcement across the organization.
**Question 8.** In a Shared VPC, who can create subnets that are usable by service projects?
A) Only the host project owner
B) Any member of the service project with Compute Network Admin role
C) Only members with the Shared VPC Admin role in the host project
D) All users in the organization by default
, [PCSE] Google Cloud Certified Professional
Cloud Security Engineer Certification
Review Guide
Answer: C
Explanation: The Shared VPC Admin role in the host project grants permission to create and
manage subnets that service projects can use.
**Question 9.** Which firewall rule direction is used to block outbound traffic from a Compute
Engine instance to the internet?
A) Ingress rule with deny priority
B) Egress rule with deny priority
C) Ingress rule with allow priority
D) Egress rule with allow priority
Answer: B
Explanation: Egress firewall rules control outbound traffic; a deny rule blocks the specified
traffic.
**Question 10.** How can you restrict a firewall rule to apply only to instances that run a
specific service account?
A) Use network tags only
B) Use service account‑based firewall filtering
C) Use IAM conditions on the firewall rule
D) Use VPC Service Controls
Answer: B
Explanation: Google Cloud firewall rules can be filtered by the service account attached to the
instance, limiting the rule’s scope.
