Google Cloud PCSE glossary of IAM, risk, logging, response, and defense terms.
Use this glossary when Google Cloud Professional Cloud Security Engineer (PCSE) terms start to blur together. The goal is practical recognition, not encyclopedia coverage.
| Term | Exam meaning |
|---|---|
| Service account | Non-human identity used by workloads and services. |
| VPC Service Controls | Perimeter control that helps reduce data exfiltration risk for supported services. |
| Cloud KMS | Managed key service for encryption key lifecycle and access control. |
| Secret Manager | Managed storage for secrets with access control and audit. |
| Security Command Center | Security and risk management service for findings and posture. |
| Organization policy | Constraint-based governance applied through the resource hierarchy. |
| Pair | How to separate them |
|---|---|
| Identity and access vs Network and perimeter security | Ask which layer the scenario is testing, then match the answer to that layer only. |
| Control vs evidence | A control changes behavior; evidence proves behavior or supports investigation. |
| Managed service vs custom build | Managed services win for lower operational effort unless the requirement needs unsupported customization. |
| Prevention vs detection | Prevention blocks or reduces a bad event; detection finds or reports that it happened. |
Do not memorize terms in isolation. For each term, write one scenario where it is the best answer, one scenario where it is a distractor, and one signal that proves it worked.