Practice PCA Designing for Security and Compliance questions with full explanations on every answer.
Start practicing
Designing for Security and Compliance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company wants to control which resources can be accessed by a service account in a specific project. Which IAM policy binding approach should be used?
2An organization requires that all container images deployed to GKE be signed and verified before deployment. Which GCP service should be used?
3A security team wants to prevent data exfiltration from a GKE cluster to external storage. They need to restrict access to Cloud Storage buckets from the cluster without using private IPs. Which solution should they implement?
4A company uses Cloud KMS with CMEK to encrypt data stored in BigQuery. They need to audit who has used the encryption key and when. Which type of audit log should they enable?
5An engineer needs to grant a user the ability to create and manage service accounts in a project. Which predefined IAM role provides these permissions?
6A company wants to enforce that all API calls to GCP services from outside their corporate network come through a specific Cloud VPN tunnel. Which GCP service can enforce this policy?
7An organization needs to store secrets used by multiple GCP services. They require automatic rotation of secrets every 30 days and integration with Cloud Functions. Which service should they use?
8A company wants to use its existing Active Directory credentials to authenticate users to the GCP Console. Which service should they integrate with?
9Which GCP service can be used to detect and redact sensitive data such as credit card numbers in text files stored in Cloud Storage?
10A company needs to ensure that only approved container images can be deployed to a GKE cluster. They already use Binary Authorization. What additional step is required to enforce this policy?
11An organization needs to encrypt data at rest in BigQuery using keys that are rotated every 90 days. They want to manage the keys themselves but cannot store keys on-premises. Which encryption approach should they use?
12A developer wants to allow a Compute Engine VM to authenticate to Google Cloud APIs without embedding service account keys in the VM image. What is the recommended approach?
13A company wants to restrict network access to Cloud SQL instances such that only applications running in a specific VPC can connect. Which GCP feature should they use?
14A company uses Cloud Armor to protect an HTTP(S) Load Balancer. They want to block traffic from a specific IP address range during off-peak hours but allow it during peak hours. How can they achieve this?
15A company needs to ensure that only applications running in a specific GKE namespace can access a Cloud Storage bucket. Which approach should they use?
16A company wants to enforce that only approved container images can be deployed to GKE. They also want to ensure images are scanned for vulnerabilities before deployment. Which two GCP services should they use? (Choose TWO).
17A company needs to store secrets used by multiple GCP services. They require automatic rotation of secrets every 30 days and integration with Cloud Functions. Which two GCP services should they use? (Choose TWO).
18Which two GCP audit log types are available by default? (Choose TWO).
19A company wants to protect a web application from SQL injection and cross-site scripting (XSS) attacks. They also need to block traffic from specific geographic regions. Which three features of Cloud Armor should they use? (Choose THREE).
20A company needs to ensure that data stored in Cloud Storage is encrypted with customer-managed keys that are rotated every 90 days. Which two steps must be taken to achieve this? (Choose TWO).
21An organization wants to enforce that all container images deployed to their Google Kubernetes Engine (GKE) clusters are signed and have passed a vulnerability scan. Which GCP service should they use to enforce this policy?
22A company wants to restrict access to their Cloud Storage bucket so that only requests from within a specific VPC network are allowed, and all other traffic (including internet) is denied. They also need to allow access from on-premises through a VPN. Which configuration should they use?
23A financial services company must store customer data in a GCP region that is certified for FedRAMP High. They also need to ensure that only authorized personnel can access the data, and that access logs are kept for 10 years. Which combination of services meets these requirements?
24An engineer needs to grant a service account the ability to create and manage VMs in a specific project, but only those VMs with a certain label. Which IAM feature should they use?
25A company wants to use their existing Active Directory for authentication to Google Cloud. They need to sync user and group identities to Cloud Identity and allow users to log in with their corporate credentials. Which two services should they use together?
26A developer needs to securely store a database password that will be used by a Compute Engine instance. The password must be rotated automatically every 30 days. Which service should they use?
27A company wants to allow a Kubernetes pod in GKE to access a Cloud Storage bucket using the pod's own identity, without managing long-lived credentials. They have created a Google service account (GSA) and a Kubernetes service account (KSA). What should they do to bind the KSA to the GSA?
28A company wants to protect their web application hosted on Google Cloud HTTP(S) Load Balancer from common web attacks like SQL injection and cross-site scripting (XSS). Which GCP service should they use?
29A company needs to encrypt data at rest in Cloud Storage using their own keys. They require that the keys are stored in a hardware security module (HSM) that is FIPS 140-2 Level 3 certified. Which key management option should they choose?
30A security engineer wants to ensure that all admin activity in their GCP organization is logged and retained for 3 years. They also need to be alerted if a new firewall rule is created. Which logs should they enable?
31A company is deploying a multi-tenant SaaS application on GKE. Each tenant's data must be isolated at the network level. They want to use a single GKE cluster but ensure that pods from different tenants cannot communicate with each other. Which GCP feature should they use?
32A company wants to give a new employee read-only access to all projects in their GCP organization. Which IAM role should they assign at the organization level to grant this access?
33A company wants to use Cloud DLP to scan a Cloud Storage bucket for personally identifiable information (PII) and de-identify the data before storing it in another bucket. Which TWO actions should they take? (Choose 2)
34A company wants to use Binary Authorization to enforce that only images signed by their internal CI/CD pipeline can be deployed to their GKE clusters. They have set up Cloud Build to sign images. Which THREE steps are required to configure this? (Choose 3)
35An organization wants to use VPC Service Controls to protect a Cloud Storage bucket and a BigQuery dataset from data exfiltration. They want to allow access from a specific on-premises network via a Cloud VPN. Which TWO components are required? (Choose 2)
36An organization wants to ensure that only container images signed by an authorized CI/CD pipeline can be deployed to their GKE clusters. Which GCP service should they use?
37A security engineer needs to restrict access to a Google Cloud project so that only a specific set of IP addresses can reach Cloud Storage buckets. Which feature should be configured?
38A company uses Cloud Identity to manage users and wants to allow employees to authenticate to Google Cloud using their existing corporate Active Directory credentials. Which solution should they implement?
39A company wants to encrypt data at rest in Cloud Storage using a key that they generate and manage themselves, not stored in Google Cloud. Which encryption type should they use?
40A DevOps engineer needs to grant a CI/CD pipeline (running in a different Google Cloud project) the ability to deploy resources into a target project. The pipeline uses a service account. What is the best way to grant this access?
41A company wants to use their own HSM to hold encryption keys for Google Cloud services, but they want Google Cloud to perform cryptographic operations without exposing the keys. Which service should they use?
42A company needs to protect an HTTPS load-balanced web application from OWASP Top 10 attacks, including SQL injection and cross-site scripting. Which GCP service should they enable?
43A security team needs to detect and redact personally identifiable information (PII) from documents uploaded to Cloud Storage before they are stored. Which GCP service should they use?
44A company wants to enforce that all secrets used by applications running on Compute Engine are rotated automatically every 30 days. Which GCP service should they use to store and manage these secrets?
45An organization needs to grant a third-party auditor read-only access to view all resources in a project, including sensitive data like IAM policies and logs. Which role should be assigned?
46A company deploys a Kubernetes workload in GKE that needs to access Cloud Storage. They want to avoid managing service account keys. What is the recommended approach?
47A company with multiple projects must ensure that no data can be exfiltrated from a specific project's Cloud Storage buckets to unauthorized locations outside the organization. They also need to allow access only from a corporate VPN IP range. Which configuration meets these requirements?
48A company wants to deploy a web application behind an HTTPS Load Balancer and only allow authenticated users from their corporate Active Directory. Which two services should they use together? (Choose two.)
49A company wants to centrally manage firewall rules for all projects in an organization using hierarchical firewall policies. Which three resources can be used in conjunction with hierarchical firewall policies? (Choose three.)
50An organization needs to comply with FedRAMP requirements and restrict data storage to specific regions. They also need to audit all admin activities and data access. Which three components should they implement? (Choose three.)
51An organization wants to enforce that all container images deployed to Google Kubernetes Engine (GKE) clusters are signed by an authorized authority and only those images are allowed to run. Which GCP service should they use?
52A security engineer needs to allow a Compute Engine instance with the service account 'sa-prod@project.iam.gserviceaccount.com' to connect to a Cloud SQL instance over a private IP. The VPC has no firewall rules allowing this traffic. What is the MOST secure way to grant access?
53A company uses Cloud Key Management Service (Cloud KMS) with a customer-managed encryption key (CMEK) to encrypt data in BigQuery. They want to ensure the key can only be used by the BigQuery service account in the 'us-central1' region. Which IAM condition should be added to the key's IAM policy?
54Which Google Cloud service allows organizations to define perimeters that protect resources and data from exfiltration to other VPCs or networks?
55A company is migrating an on-premises application to Google Cloud. The application requires access to a legacy database that can only be reached from a specific on-premises IP address. The company has established a Cloud VPN tunnel. What is the MOST secure way to ensure that only the migrated application's Compute Engine instances can initiate connections to the on-premises database?
56An organization needs to store API keys and database passwords securely in Google Cloud. They want to automatically rotate secrets every 30 days. Which service should they use?
57A company wants to enforce that all data stored in Cloud Storage buckets is encrypted with a key that they manage and rotate quarterly. They also want to ensure that the key is stored in a hardware security module (HSM). Which combination of services should they use?
58Which IAM role should be granted to a user who needs to view but not modify resources in a project?
59A company uses Assured Workloads to meet FedRAMP compliance. They need to ensure that only authorized personnel can access data access audit logs for their projects. Which IAM role should they grant to the security team?
60A company wants to allow users to authenticate to a web application running on Compute Engine using their existing corporate Active Directory credentials without exposing the application to the public internet. Which approach should they use?
61A data engineer needs to scan a Cloud Storage bucket for personally identifiable information (PII) and de-identify the data before loading it into BigQuery. Which Google Cloud service should they use?
62An engineer is configuring Cloud Armor security policies for an HTTPS Load Balancer. They want to block requests from a specific IP range but allow all other traffic. What is the correct way to configure this?
63A security team needs to restrict access to a set of Cloud Storage buckets so that only Compute Engine instances with a specific service account can read objects. Which TWO steps should they take? (Choose two.)
64A company wants to use Cloud Key Management Service (Cloud KMS) to manage encryption keys for multiple applications. They have the following requirements: 1) Keys must be automatically rotated every 90 days. 2) Different applications should have access only to their own keys. 3) All key operations must be logged for audit purposes. Which THREE steps should they take? (Choose three.)
65An organization wants to implement a zero-trust architecture for a web application running on Compute Engine. They require: - All traffic must be authenticated and authorized at the application layer. - Access decisions must consider the user's identity, device security posture, and IP address. - Session hijacking must be mitigated. Which THREE services or features should they use? (Choose three.)
66A security team wants to ensure that all Compute Engine instances in a project are launched with a specific custom encryption key (CMEK) stored in Cloud KMS. What is the correct way to enforce this policy?
67An organization uses Active Directory (AD) on-premises. They want to synchronize user accounts and groups to Google Cloud Identity so that users can sign in with their existing AD credentials. Which service should they use?
68A financial services company runs workloads on GKE and wants to ensure only container images that have been approved by the security team can be deployed. The approval process involves signing images after vulnerability scanning. Which GCP service should be integrated with GKE to enforce this policy?
69A company wants to use Customer-Managed Encryption Keys (CMEK) for data at rest in Cloud Storage, but also needs to ensure that the keys are stored in a hardware security module (HSM) to meet compliance requirements. Which Cloud KMS key type should they choose?
70An organization needs to restrict access to a Cloud Storage bucket so that only resources in a specific VPC network can read the data. They want to prevent data exfiltration via the internet. Which combination of services should they use?
71A developer needs to grant a Compute Engine instance the ability to read from a Cloud Storage bucket. The instance does not have a service account attached. What should the developer do?
72A company is using Cloud SQL for MySQL and wants to encrypt data at rest with a key that they manage and rotate. They also want to avoid any additional cost for the encryption feature. What should they do?
73A security engineer wants to configure Identity-Aware Proxy (IAP) for an HTTPS load-balanced application to enforce zero-trust access. Users will authenticate with their Google accounts. What is the minimum set of IAM roles needed for a user to access the application behind IAP?
74A company has a VPC Service Perimeter that protects a project containing BigQuery datasets. They want to allow an external customer's BigQuery job to query data across the perimeter boundary using a private connection. Which configuration is required?
75A company wants to ensure that all audit logs for a project are retained for 7 years for compliance purposes. Which type of audit logs in Cloud Logging should they configure for the longest retention?
76An organization needs to run workloads that are subject to ITAR (International Traffic in Arms Regulations) in Google Cloud. Which region should they use to ensure compliance with ITAR requirements?
77A developer wants to store a database password securely and have it automatically rotated every 30 days. The password is used by a Compute Engine instance. Which Google Cloud service should they use?
78A security team needs to detect and redact personally identifiable information (PII) in documents stored in Cloud Storage before sharing them with external partners. Which two Google Cloud services should they use together? (Choose two.)
79A company wants to allow a Kubernetes pod in GKE to authenticate to Google Cloud APIs without storing service account keys in the cluster. Which three components need to be configured to enable Workload Identity? (Choose three.)
80An organization wants to protect an HTTPS load-balanced web application from common web attacks, such as SQL injection and cross-site scripting (XSS), as well as rate-limit traffic from specific IPs. Which three capabilities should they use together? (Choose three.)
81An organization wants to enforce that all container images deployed to Google Kubernetes Engine (GKE) are signed and approved via an attestation authority. Which GCP service should they use?
82A company needs to grant a data scientist read-only access to BigQuery datasets in the project 'analytics-prod' without granting permissions to any other resources. Which IAM role should be assigned at the project level?
83A security engineer wants to prevent data exfiltration from a project 'prod-data' by ensuring that only approved VPC networks can access BigQuery datasets. Which GCP service should be used?
84A company wants to encrypt data at rest in Cloud Storage using their own keys stored on-premises. They need to rotate the key every 30 days. Which encryption option should they use?
85An organization uses Active Directory (AD) on-premises and wants to synchronize user identities to Google Cloud Identity so that users can access G Suite and GCP resources with their existing credentials. Which service should they use?
86A data engineer needs to automatically detect and redact sensitive data such as credit card numbers from text files uploaded to Cloud Storage before the data is loaded into BigQuery. Which GCP service should be used?
87A company wants to allow a Kubernetes pod in GKE to access a Cloud Storage bucket using a specific service account without storing long-lived credentials. Which method should be used?
88An organization needs to comply with FedRAMP High requirements and wants to run workloads in a GCP region that supports these controls. They also need to restrict data movement to only approved services. Which GCP feature should they use?
89A company has multiple GCP projects under a folder. They want to define a custom IAM role that can be reused across all projects. Where should the custom role be defined?
90A security admin wants to audit all 'create' and 'delete' operations on Compute Engine instances in a project for the last 90 days. Which type of audit log should they query?
91A developer wants to store a database password that is used by a Cloud Function. The password must be automatically rotated every 30 days and accessed securely without storing it in the source code. Which GCP service should they use?
92A company uses Cloud Armor to protect an HTTPS Load Balancer. They want to allow traffic only from users who have passed a reCAPTCHA challenge. Cloud Armor supports which feature for this?
93A company wants to implement a zero-trust access model for internal web applications running on Compute Engine. They need to authenticate users using corporate credentials and enforce context-aware access based on device posture and IP address. Which TWO services should they use?
94An organization wants to use Cloud KMS to manage encryption keys for data in Cloud Storage and BigQuery. They require that key material never leaves a hardware security module (HSM) and must be FIPS 140-2 Level 3 certified. Which TWO actions should they take?
95A company needs to allow a third-party auditor to view all Compute Engine resources in a project but not allow any modifications. The auditor must not have access to any other services. Which THREE steps should be taken?
96A startup wants to grant a contractor limited access to a single Cloud Storage bucket. The contractor should be able to view and download objects, but not delete or overwrite them. Which IAM role should be assigned?
The Designing for Security and Compliance domain covers the key concepts tested in this area of the PCA exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCA domains — no account required.
The Courseiva PCA question bank contains 96 questions in the Designing for Security and Compliance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Designing for Security and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included