Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCADomainsDesigning for Security and Compliance
PCAFree — No Signup

Designing for Security and Compliance

Practice PCA Designing for Security and Compliance questions with full explanations on every answer.

96questions

Start practicing

Designing for Security and Compliance — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCA Domains

Managing Implementation and Ensuring Solution and Operations ReliabilityDesigning and Planning a Cloud Solution ArchitectureManaging and Provisioning a Solution InfrastructureDesigning for Security and ComplianceAnalysing and Optimising Technical and Business ProcessesDesign and plan a cloud solution architectureManage and provision cloud infrastructureDesign for security and complianceAnalyze and optimize technical and business processesManage implementation of cloud architectureEnsure solution and operations reliability

Practice Designing for Security and Compliance questions

10Q20Q30Q50Q

All PCA Designing for Security and Compliance questions (96)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company wants to control which resources can be accessed by a service account in a specific project. Which IAM policy binding approach should be used?

2

An organization requires that all container images deployed to GKE be signed and verified before deployment. Which GCP service should be used?

3

A security team wants to prevent data exfiltration from a GKE cluster to external storage. They need to restrict access to Cloud Storage buckets from the cluster without using private IPs. Which solution should they implement?

4

A company uses Cloud KMS with CMEK to encrypt data stored in BigQuery. They need to audit who has used the encryption key and when. Which type of audit log should they enable?

5

An engineer needs to grant a user the ability to create and manage service accounts in a project. Which predefined IAM role provides these permissions?

6

A company wants to enforce that all API calls to GCP services from outside their corporate network come through a specific Cloud VPN tunnel. Which GCP service can enforce this policy?

7

An organization needs to store secrets used by multiple GCP services. They require automatic rotation of secrets every 30 days and integration with Cloud Functions. Which service should they use?

8

A company wants to use its existing Active Directory credentials to authenticate users to the GCP Console. Which service should they integrate with?

9

Which GCP service can be used to detect and redact sensitive data such as credit card numbers in text files stored in Cloud Storage?

10

A company needs to ensure that only approved container images can be deployed to a GKE cluster. They already use Binary Authorization. What additional step is required to enforce this policy?

11

An organization needs to encrypt data at rest in BigQuery using keys that are rotated every 90 days. They want to manage the keys themselves but cannot store keys on-premises. Which encryption approach should they use?

12

A developer wants to allow a Compute Engine VM to authenticate to Google Cloud APIs without embedding service account keys in the VM image. What is the recommended approach?

13

A company wants to restrict network access to Cloud SQL instances such that only applications running in a specific VPC can connect. Which GCP feature should they use?

14

A company uses Cloud Armor to protect an HTTP(S) Load Balancer. They want to block traffic from a specific IP address range during off-peak hours but allow it during peak hours. How can they achieve this?

15

A company needs to ensure that only applications running in a specific GKE namespace can access a Cloud Storage bucket. Which approach should they use?

16

A company wants to enforce that only approved container images can be deployed to GKE. They also want to ensure images are scanned for vulnerabilities before deployment. Which two GCP services should they use? (Choose TWO).

17

A company needs to store secrets used by multiple GCP services. They require automatic rotation of secrets every 30 days and integration with Cloud Functions. Which two GCP services should they use? (Choose TWO).

18

Which two GCP audit log types are available by default? (Choose TWO).

19

A company wants to protect a web application from SQL injection and cross-site scripting (XSS) attacks. They also need to block traffic from specific geographic regions. Which three features of Cloud Armor should they use? (Choose THREE).

20

A company needs to ensure that data stored in Cloud Storage is encrypted with customer-managed keys that are rotated every 90 days. Which two steps must be taken to achieve this? (Choose TWO).

21

An organization wants to enforce that all container images deployed to their Google Kubernetes Engine (GKE) clusters are signed and have passed a vulnerability scan. Which GCP service should they use to enforce this policy?

22

A company wants to restrict access to their Cloud Storage bucket so that only requests from within a specific VPC network are allowed, and all other traffic (including internet) is denied. They also need to allow access from on-premises through a VPN. Which configuration should they use?

23

A financial services company must store customer data in a GCP region that is certified for FedRAMP High. They also need to ensure that only authorized personnel can access the data, and that access logs are kept for 10 years. Which combination of services meets these requirements?

24

An engineer needs to grant a service account the ability to create and manage VMs in a specific project, but only those VMs with a certain label. Which IAM feature should they use?

25

A company wants to use their existing Active Directory for authentication to Google Cloud. They need to sync user and group identities to Cloud Identity and allow users to log in with their corporate credentials. Which two services should they use together?

26

A developer needs to securely store a database password that will be used by a Compute Engine instance. The password must be rotated automatically every 30 days. Which service should they use?

27

A company wants to allow a Kubernetes pod in GKE to access a Cloud Storage bucket using the pod's own identity, without managing long-lived credentials. They have created a Google service account (GSA) and a Kubernetes service account (KSA). What should they do to bind the KSA to the GSA?

28

A company wants to protect their web application hosted on Google Cloud HTTP(S) Load Balancer from common web attacks like SQL injection and cross-site scripting (XSS). Which GCP service should they use?

29

A company needs to encrypt data at rest in Cloud Storage using their own keys. They require that the keys are stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 certified. Which key management option should they choose?

30

A security engineer wants to ensure that all admin activity in their GCP organization is logged and retained for 3 years. They also need to be alerted if a new firewall rule is created. Which logs should they enable?

31

A company is deploying a multi-tenant SaaS application on GKE. Each tenant's data must be isolated at the network level. They want to use a single GKE cluster but ensure that pods from different tenants cannot communicate with each other. Which GCP feature should they use?

32

A company wants to give a new employee read-only access to all projects in their GCP organization. Which IAM role should they assign at the organization level to grant this access?

33

A company wants to use Cloud DLP to scan a Cloud Storage bucket for personally identifiable information (PII) and de-identify the data before storing it in another bucket. Which TWO actions should they take? (Choose 2)

34

A company wants to use Binary Authorization to enforce that only images signed by their internal CI/CD pipeline can be deployed to their GKE clusters. They have set up Cloud Build to sign images. Which THREE steps are required to configure this? (Choose 3)

35

An organization wants to use VPC Service Controls to protect a Cloud Storage bucket and a BigQuery dataset from data exfiltration. They want to allow access from a specific on-premises network via a Cloud VPN. Which TWO components are required? (Choose 2)

36

An organization wants to ensure that only container images signed by an authorized CI/CD pipeline can be deployed to their GKE clusters. Which GCP service should they use?

37

A security engineer needs to restrict access to a Google Cloud project so that only a specific set of IP addresses can reach Cloud Storage buckets. Which feature should be configured?

38

A company uses Cloud Identity to manage users and wants to allow employees to authenticate to Google Cloud using their existing corporate Active Directory credentials. Which solution should they implement?

39

A company wants to encrypt data at rest in Cloud Storage using a key that they generate and manage themselves, not stored in Google Cloud. Which encryption type should they use?

40

A DevOps engineer needs to grant a CI/CD pipeline (running in a different Google Cloud project) the ability to deploy resources into a target project. The pipeline uses a service account. What is the best way to grant this access?

41

A company wants to use their own HSM to hold encryption keys for Google Cloud services, but they want Google Cloud to perform cryptographic operations without exposing the keys. Which service should they use?

42

A company needs to protect an HTTPS load-balanced web application from OWASP Top 10 attacks, including SQL injection and cross-site scripting. Which GCP service should they enable?

43

A security team needs to detect and redact personally identifiable information (PII) from documents uploaded to Cloud Storage before they are stored. Which GCP service should they use?

44

A company wants to enforce that all secrets used by applications running on Compute Engine are rotated automatically every 30 days. Which GCP service should they use to store and manage these secrets?

45

An organization needs to grant a third-party auditor read-only access to view all resources in a project, including sensitive data like IAM policies and logs. Which role should be assigned?

46

A company deploys a Kubernetes workload in GKE that needs to access Cloud Storage. They want to avoid managing service account keys. What is the recommended approach?

47

A company with multiple projects must ensure that no data can be exfiltrated from a specific project's Cloud Storage buckets to unauthorized locations outside the organization. They also need to allow access only from a corporate VPN IP range. Which configuration meets these requirements?

48

A company wants to deploy a web application behind an HTTPS Load Balancer and only allow authenticated users from their corporate Active Directory. Which two services should they use together? (Choose two.)

49

A company wants to centrally manage firewall rules for all projects in an organization using hierarchical firewall policies. Which three resources can be used in conjunction with hierarchical firewall policies? (Choose three.)

50

An organization needs to comply with FedRAMP requirements and restrict data storage to specific regions. They also need to audit all admin activities and data access. Which three components should they implement? (Choose three.)

51

An organization wants to enforce that all container images deployed to Google Kubernetes Engine (GKE) clusters are signed by an authorized authority and only those images are allowed to run. Which GCP service should they use?

52

A security engineer needs to allow a Compute Engine instance with the service account 'sa-prod@project.iam.gserviceaccount.com' to connect to a Cloud SQL instance over a private IP. The VPC has no firewall rules allowing this traffic. What is the MOST secure way to grant access?

53

A company uses Cloud Key Management Service (Cloud KMS) with a customer-managed encryption key (CMEK) to encrypt data in BigQuery. They want to ensure the key can only be used by the BigQuery service account in the 'us-central1' region. Which IAM condition should be added to the key's IAM policy?

54

Which Google Cloud service allows organizations to define perimeters that protect resources and data from exfiltration to other VPCs or networks?

55

A company is migrating an on-premises application to Google Cloud. The application requires access to a legacy database that can only be reached from a specific on-premises IP address. The company has established a Cloud VPN tunnel. What is the MOST secure way to ensure that only the migrated application's Compute Engine instances can initiate connections to the on-premises database?

56

An organization needs to store API keys and database passwords securely in Google Cloud. They want to automatically rotate secrets every 30 days. Which service should they use?

57

A company wants to enforce that all data stored in Cloud Storage buckets is encrypted with a key that they manage and rotate quarterly. They also want to ensure that the key is stored in a hardware security module (HSM). Which combination of services should they use?

58

Which IAM role should be granted to a user who needs to view but not modify resources in a project?

59

A company uses Assured Workloads to meet FedRAMP compliance. They need to ensure that only authorized personnel can access data access audit logs for their projects. Which IAM role should they grant to the security team?

60

A company wants to allow users to authenticate to a web application running on Compute Engine using their existing corporate Active Directory credentials without exposing the application to the public internet. Which approach should they use?

61

A data engineer needs to scan a Cloud Storage bucket for personally identifiable information (PII) and de-identify the data before loading it into BigQuery. Which Google Cloud service should they use?

62

An engineer is configuring Cloud Armor security policies for an HTTPS Load Balancer. They want to block requests from a specific IP range but allow all other traffic. What is the correct way to configure this?

63

A security team needs to restrict access to a set of Cloud Storage buckets so that only Compute Engine instances with a specific service account can read objects. Which TWO steps should they take? (Choose two.)

64

A company wants to use Cloud Key Management Service (Cloud KMS) to manage encryption keys for multiple applications. They have the following requirements: 1) Keys must be automatically rotated every 90 days. 2) Different applications should have access only to their own keys. 3) All key operations must be logged for audit purposes. Which THREE steps should they take? (Choose three.)

65

An organization wants to implement a zero-trust architecture for a web application running on Compute Engine. They require: - All traffic must be authenticated and authorized at the application layer. - Access decisions must consider the user's identity, device security posture, and IP address. - Session hijacking must be mitigated. Which THREE services or features should they use? (Choose three.)

66

A security team wants to ensure that all Compute Engine instances in a project are launched with a specific custom encryption key (CMEK) stored in Cloud KMS. What is the correct way to enforce this policy?

67

An organization uses Active Directory (AD) on-premises. They want to synchronize user accounts and groups to Google Cloud Identity so that users can sign in with their existing AD credentials. Which service should they use?

68

A financial services company runs workloads on GKE and wants to ensure only container images that have been approved by the security team can be deployed. The approval process involves signing images after vulnerability scanning. Which GCP service should be integrated with GKE to enforce this policy?

69

A company wants to use Customer-Managed Encryption Keys (CMEK) for data at rest in Cloud Storage, but also needs to ensure that the keys are stored in a hardware security module (HSM) to meet compliance requirements. Which Cloud KMS key type should they choose?

70

An organization needs to restrict access to a Cloud Storage bucket so that only resources in a specific VPC network can read the data. They want to prevent data exfiltration via the internet. Which combination of services should they use?

71

A developer needs to grant a Compute Engine instance the ability to read from a Cloud Storage bucket. The instance does not have a service account attached. What should the developer do?

72

A company is using Cloud SQL for MySQL and wants to encrypt data at rest with a key that they manage and rotate. They also want to avoid any additional cost for the encryption feature. What should they do?

73

A security engineer wants to configure Identity-Aware Proxy (IAP) for an HTTPS load-balanced application to enforce zero-trust access. Users will authenticate with their Google accounts. What is the minimum set of IAM roles needed for a user to access the application behind IAP?

74

A company has a VPC Service Perimeter that protects a project containing BigQuery datasets. They want to allow an external customer's BigQuery job to query data across the perimeter boundary using a private connection. Which configuration is required?

75

A company wants to ensure that all audit logs for a project are retained for 7 years for compliance purposes. Which type of audit logs in Cloud Logging should they configure for the longest retention?

76

An organization needs to run workloads that are subject to ITAR (International Traffic in Arms Regulations) in Google Cloud. Which region should they use to ensure compliance with ITAR requirements?

77

A developer wants to store a database password securely and have it automatically rotated every 30 days. The password is used by a Compute Engine instance. Which Google Cloud service should they use?

78

A security team needs to detect and redact personally identifiable information (PII) in documents stored in Cloud Storage before sharing them with external partners. Which two Google Cloud services should they use together? (Choose two.)

79

A company wants to allow a Kubernetes pod in GKE to authenticate to Google Cloud APIs without storing service account keys in the cluster. Which three components need to be configured to enable Workload Identity? (Choose three.)

80

An organization wants to protect an HTTPS load-balanced web application from common web attacks, such as SQL injection and cross-site scripting (XSS), as well as rate-limit traffic from specific IPs. Which three capabilities should they use together? (Choose three.)

81

An organization wants to enforce that all container images deployed to Google Kubernetes Engine (GKE) are signed and approved via an attestation authority. Which GCP service should they use?

82

A company needs to grant a data scientist read-only access to BigQuery datasets in the project 'analytics-prod' without granting permissions to any other resources. Which IAM role should be assigned at the project level?

83

A security engineer wants to prevent data exfiltration from a project 'prod-data' by ensuring that only approved VPC networks can access BigQuery datasets. Which GCP service should be used?

84

A company wants to encrypt data at rest in Cloud Storage using their own keys stored on-premises. They need to rotate the key every 30 days. Which encryption option should they use?

85

An organization uses Active Directory (AD) on-premises and wants to synchronize user identities to Google Cloud Identity so that users can access G Suite and GCP resources with their existing credentials. Which service should they use?

86

A data engineer needs to automatically detect and redact sensitive data such as credit card numbers from text files uploaded to Cloud Storage before the data is loaded into BigQuery. Which GCP service should be used?

87

A company wants to allow a Kubernetes pod in GKE to access a Cloud Storage bucket using a specific service account without storing long-lived credentials. Which method should be used?

88

An organization needs to comply with FedRAMP High requirements and wants to run workloads in a GCP region that supports these controls. They also need to restrict data movement to only approved services. Which GCP feature should they use?

89

A company has multiple GCP projects under a folder. They want to define a custom IAM role that can be reused across all projects. Where should the custom role be defined?

90

A security admin wants to audit all 'create' and 'delete' operations on Compute Engine instances in a project for the last 90 days. Which type of audit log should they query?

91

A developer wants to store a database password that is used by a Cloud Function. The password must be automatically rotated every 30 days and accessed securely without storing it in the source code. Which GCP service should they use?

92

A company uses Cloud Armor to protect an HTTPS Load Balancer. They want to allow traffic only from users who have passed a reCAPTCHA challenge. Cloud Armor supports which feature for this?

93

A company wants to implement a zero-trust access model for internal web applications running on Compute Engine. They need to authenticate users using corporate credentials and enforce context-aware access based on device posture and IP address. Which TWO services should they use?

94

An organization wants to use Cloud KMS to manage encryption keys for data in Cloud Storage and BigQuery. They require that key material never leaves a hardware security module (HSM) and must be FIPS 140-2 Level 3 certified. Which TWO actions should they take?

95

A company needs to allow a third-party auditor to view all Compute Engine resources in a project but not allow any modifications. The auditor must not have access to any other services. Which THREE steps should be taken?

96

A startup wants to grant a contractor limited access to a single Cloud Storage bucket. The contractor should be able to view and download objects, but not delete or overwrite them. Which IAM role should be assigned?

Practice all 96 Designing for Security and Compliance questions

Other PCA exam domains

Managing Implementation and Ensuring Solution and Operations ReliabilityDesigning and Planning a Cloud Solution ArchitectureManaging and Provisioning a Solution InfrastructureAnalysing and Optimising Technical and Business ProcessesDesign and plan a cloud solution architectureManage and provision cloud infrastructureDesign for security and complianceAnalyze and optimize technical and business processesManage implementation of cloud architectureEnsure solution and operations reliability

Frequently asked questions

What does the Designing for Security and Compliance domain cover on the PCA exam?

The Designing for Security and Compliance domain covers the key concepts tested in this area of the PCA exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCA domains — no account required.

How many Designing for Security and Compliance questions are in the PCA question bank?

The Courseiva PCA question bank contains 96 questions in the Designing for Security and Compliance domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Designing for Security and Compliance for PCA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Designing for Security and Compliance questions for PCA?

Yes — the session launcher on this page draws questions exclusively from the Designing for Security and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

ACEPCSESAP-C02