G O O G L E C E R T I F I C A T I O N
Professional Cloud Security Engineer Practice Exam
Exam Number: 1009 | Last updated April 21, 2026 | 1248+ questions across 5 vendor-aligned objectives
Google’s Professional Cloud Security Engineer credential is built for professionals who the skills needed to work on Google Cloud in production settings. The target audience includes cloud security engineers, architects, and compliance specialists who design defense-in-depth controls for Google Cloud environments. Passing candidates have shown they can reason about trade-offs and pick the right service for a given constraint.
Heavy-weighted areas define where study time pays back fastest: 22% targets Configuring Access Within a Cloud Solution Environment (Cloud Identity, IAM conditions, workforce identity federation, least privilege); 20% targets Configuring Network Security (VPC Service Controls, Cloud Armor, Private Google Access, hierarchical firewall policies); 20% targets Managing Operations Within a Cloud Solution Environment (Security Command Center, Event Threat Detection, Chronicle integration).
Supporting domains fill out the blueprint: 20% covers Supporting Compliance Requirements (regulated workloads, Assured Workloads, audit logging, data residency); 18% covers Ensuring Data Protection (Cloud KMS, customer-managed encryption keys, Secret Manager, DLP). Each still appears on the exam, so none can be safely skipped.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Google documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
778
practice exam users
99.1%
satisfied users
91.8%
passed the exam
4.5/5
quality rating
Test your Cloud Security Engineer knowledge
10 of 1248+ questions
Question #1 - Configuring Access Within a Cloud Solution Environment
A security engineer must grant developers write access to a production Cloud Storage bucket only during business hours.
Which Google Cloud capability expresses that rule?
A) VPC firewall rules timed via cron
B) Cloud DNS TTL tricks
C) IAM Conditions with a time-based expression
D) Organization Policy deny by folder
Show solution
Correct answers: C – Explanation:
IAM Conditions let an allow binding depend on request time (or other attributes), which maps directly to a business-hours constraint. Firewall rules do not scope IAM. DNS TTL is unrelated. Org Policies do not condition by hour. Source: Check Source
Question #2 - Configuring Network Security
An architect must prevent service-account credentials from being used to exfiltrate data from BigQuery to a Cloud Storage bucket outside the organization’s perimeter.
Which Google Cloud control is designed for this?
A) VPC Service Controls perimeters
B) Context-Aware Access on Workspace
C) Cloud Armor rate limiting
D) Default firewall rules only
Show solution
Correct answers: A – Explanation:
VPC Service Controls create API-level perimeters that block data from crossing out of the perimeter, even with valid credentials. Context-Aware Access is a Workspace control. Cloud Armor protects HTTP. Default firewall rules do not block API-level exfiltration. Source: Check Source
Question #3 - Ensuring Data Protection
A compliance policy mandates that the organization, not Google, controls the encryption keys for a Cloud Storage bucket and can disable them in seconds.
Which capability meets the requirement?
A) Google-managed encryption keys only
B) No encryption at rest
C) ZIP password-protected files only
D) Customer-managed encryption keys (CMEK) via Cloud KMS
Show solution
Correct answers: D – Explanation:
CMEK via Cloud KMS gives the organization control and the ability to disable the key, effectively revoking access. Google-managed keys do not meet the control requirement. No encryption is non-compliant. Zip passwords are not enterprise key management. Source: Check Source
Question #4 - Managing Operations Within a Cloud Solution Environment
A CISO wants a single pane for asset inventory, misconfiguration findings, and threat detections across the entire Google Cloud organization.
Which service is designed for that?
A) Cloud Monitoring only
B) Security Command Center
C) Cloud Storage inventory reports
D) Cloud DNS only
Show solution
Correct answers: B – Explanation:
Security Command Center is Google Cloud’s posture and threat management platform at the organization level. Monitoring covers metrics. Storage inventory reports cover buckets. Cloud DNS is resolution. Source: Check Source
Question #5 - Supporting Compliance Requirements
A US public-sector agency must ensure its Google Cloud workloads meet FedRAMP High controls and stay in approved regions.
Which Google Cloud offering directly supports these controls?
A) Assured Workloads
B) Turning off audit logs to save space
C) Running in any region with default settings
D) Signed URLs for every object
Show solution
Correct answers: A – Explanation:
Assured Workloads provides compliance-specific environments including FedRAMP High with enforced residency and personnel controls. Turning off audit logs harms compliance. Default settings do not guarantee residency. Signed URLs are an access pattern, not a compliance stack. Source: Check Source
Question #6 - Configuring Network Security
A public web app is seeing high-volume SQL-injection attempts and credential-stuffing traffic from many IPs.
Which Google Cloud service is the right frontline defense?
A) Cloud NAT alone
B) A bucket policy
C) Cloud Armor with WAF rules and rate limiting
D) Cloud DNS wildcard
Show solution
Correct answers: C – Explanation:
Cloud Armor offers WAF rules (including pre-built OWASP protections) and rate limiting at the edge. Cloud NAT is outbound egress. Bucket policies do not protect a web app. Cloud DNS is resolution. Source: Check Source
Question #7 - Ensuring Data Protection
A privacy engineer must scan a BigQuery dataset for emails, credit card numbers, and national IDs and produce a findings report.
Which Google Cloud service fits?
A) Cloud Monitoring metrics
B) Cloud Logging only
C) Cloud Source Repositories search
D) Sensitive Data Protection (Cloud DLP)
Show solution
Correct answers: D – Explanation:
Sensitive Data Protection (formerly Cloud DLP) classifies PII in structured and unstructured data including BigQuery. Monitoring, Logging, and source repo search do not perform PII classification. Source: Check Source
Question #8 - Supporting Compliance Requirements
An auditor asks for evidence of every read of a highly sensitive BigQuery table over the last year.
Which Google Cloud log category captures that?
A) Admin Activity logs alone
B) Data Access audit logs (enabled for the resource)
C) Access Transparency logs only
D) VPC Flow Logs only
Show solution
Correct answers: B – Explanation:
Data Access audit logs record data reads and writes once enabled; they are the right source for this question. Admin Activity logs cover IAM and admin changes, not data reads. Access Transparency captures Google-side access. VPC Flow Logs are network flows. Source: Check Source
Question #9 - Configuring Access Within a Cloud Solution Environment
An enterprise wants to let external contractors in a partner IdP access specific Google Cloud resources without creating Cloud Identity accounts.
Which Google Cloud feature fits?
A) Workforce Identity Federation
B) Creating a shared admin account
C) Giving contractors Google personal accounts
D) Publishing long-lived service account keys
Show solution
Correct answers: A – Explanation:
Workforce Identity Federation lets external IdP identities access Google Cloud without provisioning Cloud Identity users. Shared admin accounts are an anti-pattern. Personal Google accounts are ungoverned. Long-lived keys are a known risk. Source: Check Source
Question #10 - Managing Operations Within a Cloud Solution Environment
A detection engineer wants automated detection of anomalous IAM behavior and malware on Compute Engine.
Which Google Cloud capability provides those detections?
A) Cloud Scheduler ping jobs
B) Event Threat Detection and Virtual Machine Threat Detection in Security Command Center
C) Cloud DNS negative caching
D) Cloud Storage lifecycle rules
Show solution
Correct answers: B – Explanation:
Event Threat Detection flags suspicious IAM and audit-log events, and VM Threat Detection scans for malware in VM memory, both inside Security Command Center. Scheduler pings, DNS caching, and storage lifecycle rules are not threat detection features. Source: Check Source
Get 1248+ more questions with source-linked explanations
Every answer traces to the exact Google documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 21, 2026
Learn more...
What the Cloud Security Engineer exam measures
- Configuring Access Within a Cloud Solution Environment (22%): Apply Google Cloud practices to Cloud Identity, IAM conditions, workforce identity federation, least privilege.
- Configuring Network Security (20%): Apply Google Cloud practices to VPC Service Controls, Cloud Armor, Private Google Access, hierarchical firewall policies.
- Ensuring Data Protection (18%): Apply Google Cloud practices to Cloud KMS, customer-managed encryption keys, Secret Manager, DLP.
- Managing Operations Within a Cloud Solution Environment (20%): Apply Google Cloud practices to Security Command Center, Event Threat Detection, Chronicle integration.
- Supporting Compliance Requirements (20%): Apply Google Cloud practices to regulated workloads, Assured Workloads, audit logging, data residency.
How to prepare for this exam
- Review the Professional Cloud Security Engineer official exam guide end to end before you commit a study plan, so every later hour is spent against the published blueprint.
- Complete the relevant Google Cloud Skills Boost learning path and treat its labs as non-optional rather than extra credit.
- Get hands-on practice in Qwiklabs sandbox, repeating the same tasks from memory until configuration feels routine.
- Apply what you learn in real-world project experience — your day job, a volunteer project, or an open-source contribution — so the concepts stick.
- Master one objective at a time, starting with the highest-weighted domain on the blueprint and moving down from there.
- Use PowerKram learn mode with feedback and sourced links to close gaps while the answer rationale is still fresh.
- Finish with PowerKram exam mode across all objectives under realistic time pressure before you book the real exam.
Career paths and salary outlook
Holding the Professional Cloud Security Engineer certification typically supports roles such as:
- Cloud Security Engineer: roughly $ 135,000 to $195,000 USD per year in the US market (range varies by region, years of experience, and specialization). See current data on Glassdoor.
- Cloud Security Architect: roughly $ 155,000 to $220,000 USD per year in the US market (range varies by region, years of experience, and specialization). See current data on Levels.fyi.
- GRC Analyst (Cloud): roughly $ 110,000 to $160,000 USD per year in the US market (range varies by region, years of experience, and specialization). See current data on Payscale.
Official resources
Work directly from Google’s own preparation resources and treat third-party content as a supplement: