Practice PCA Design for security and compliance questions with full explanations on every answer.
Start practicing
Design for security and compliance — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is migrating sensitive customer data to Google Cloud. They need to ensure data is encrypted at rest and in transit. Which Google Cloud service provides a centralized way to manage encryption keys used by Google Cloud services?
2A financial services company runs a multi-tier application on Compute Engine. They need to restrict network access so that only the web tier can communicate with the application tier, and only the application tier can access the database tier. All VMs are in the same VPC network. What is the most secure way to implement this?
3A healthcare organization uses Cloud Storage to store protected health information (PHI). They have a compliance requirement to ensure that all objects in the bucket are encrypted with a customer-managed key (CMK) that is rotated every 90 days. They also need to log all access to the bucket and detect anomalous access patterns. Which combination of Google Cloud services should they use?
4An e-commerce platform uses Cloud SQL for MySQL to store user profiles and order history. The security team wants to ensure that database administrators (DBAs) cannot view plaintext credit card numbers stored in the database. They also want to minimize application changes. What should they do?
5A company wants to ensure that only Compute Engine instances with a specific service account can access a Cloud Storage bucket. Which IAM condition should they use?
6A multinational corporation operates in multiple regions and must comply with GDPR. They use Cloud Load Balancing to distribute traffic across regional backends. Their security team wants to block traffic from specific countries (e.g., non-EU countries) at the edge. What should they use?
7Which TWO are recommended practices for securing a Kubernetes Engine (GKE) cluster?
8Which THREE are valid methods to protect sensitive data in BigQuery?
9Your company runs a multi-region web application on Google Kubernetes Engine (GKE) with pods that process sensitive user data. The application uses Cloud SQL for PostgreSQL as the backend database. Your security team has implemented the following controls: 1) All traffic to the database is encrypted using SSL/TLS. 2) The GKE cluster uses Workload Identity to bind Kubernetes service accounts to IAM service accounts. 3) The Cloud SQL instance is configured with a public IP address and authorized networks to allow only the GKE cluster's node IP ranges. 4) The database credentials are stored in Secret Manager and mounted as volumes in the pods. Recently, a security audit revealed that a pod was compromised due to a container vulnerability. The attacker was able to exfiltrate sensitive data directly from the Cloud SQL database using the credentials from Secret Manager. The security team wants to prevent such exfiltration in the future while minimizing changes to the application code. Which course of action should you recommend?
10A company is migrating its on-premises workloads to Google Cloud. They have strict compliance requirements that all data at rest must be encrypted with customer-managed encryption keys (CMEK). Which Google Cloud service should they use to manage the lifecycle of these keys?
11Which TWO of the following are valid methods to control access to Google Cloud resources using Identity and Access Management (IAM)?
12An organization has set the IAM policy constraint 'constraints/iam.allowedPolicyMemberDomains' with the values shown. Which of the following users can be granted an IAM role on a project in this organization?
13Your company has a production environment on Google Cloud that includes Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. Security policies require that all data at rest is encrypted with CMEK, and audit logs must be retained for 7 years. The current configuration uses Google-managed encryption keys. You have been asked to transition to CMEK for all resources. After enabling CMEK for new resources, you discover that the existing resources are not re-encrypted. To comply with the policy, you need to re-encrypt the existing data. What should you do?
14A company is deploying a multi-tier web application on Google Cloud. The application must comply with PCI DSS. Which combination of Google Cloud services should be used to restrict access to the database tier to only the application tier, while also encrypting data at rest and in transit?
15An organization is implementing a data loss prevention (DLP) strategy for sensitive data stored in Cloud Storage. They want to automatically detect and redact credit card numbers in CSV files uploaded to a specific bucket. Which TWO Google Cloud services should they combine to achieve this?
16An engineer runs the above command and sees two firewall rules that allow SSH access. A security review requires that SSH access be allowed only from the bastion subnet 10.0.1.0/24. What should the engineer do to meet the requirement?
17Drag and drop the steps to configure a Cloud Load Balancer with a backend service consisting of Compute Engine instances into the correct order.
18Drag and drop the steps to set up a shared VPC in Google Cloud for a multi-project environment into the correct order.
19Match each GCP compute service to its characteristic.
20Match each GCP data processing service to its use case.
21A company is deploying a web application on Compute Engine. They want to ensure that only authenticated users can access the application. Which Google Cloud service should they use?
22A company stores sensitive customer data in Cloud Storage buckets. They want to ensure that access to these buckets is only allowed from within their VPC network. Which configuration should they use?
23A multinational corporation must comply with GDPR and requires that all customer data stored in BigQuery be encrypted using customer-managed encryption keys (CMEK) and that the keys are stored in a specific region. Which combination of steps should they take?
24A startup wants to grant a new employee read-only access to view all Compute Engine instances in a project. What is the minimum IAM role they should assign?
25A company runs a Kubernetes cluster on GKE. They need to ensure that pods cannot access Google Cloud APIs unless explicitly allowed through a service account. Which GKE feature should they use?
26An organization has a security policy that prohibits the use of external IP addresses on Compute Engine instances to reduce attack surface. They want to enforce this policy across all new and existing projects. Which approach should they use?
27A company wants to ensure that all access to their Cloud Storage bucket is logged for compliance purposes. Which type of audit log should they enable?
28A company is using Cloud Load Balancing to expose a web application. They want to protect against common web attacks like SQL injection and cross-site scripting. Which Google Cloud service should they configure?
29A financial services company must comply with PCI DSS. They use Cloud SQL for MySQL for transaction processing. They need to ensure that all data at rest is encrypted with keys generated and stored in a Hardware Security Module (HSM) and that key rotation occurs every 90 days. Which configuration should they use?
30A company needs to ensure that only approved machine images can be used to create Compute Engine instances to meet security compliance. Which two methods should they use? (Choose two.)
31A company uses Cloud KMS to encrypt sensitive data. They need to ensure that encryption key usage is audited and that keys are rotated automatically every 30 days. Which two actions should they take? (Choose two.)
32A company is designing a data processing pipeline in Google Cloud that must be HIPAA compliant. Which three security features should they implement? (Choose three.)
33What is the effective access of the service account sa@project.iam.gserviceaccount.com to the bucket?
34Which traffic will this rule allow?
35When will the key be automatically rotated?
36A company wants to restrict data exfiltration from its Google Cloud projects by preventing resources from copying data to external IP addresses. Which service should they use?
37A data scientist needs read-only access to a Cloud Storage bucket containing training data. What is the least privileged IAM role to grant at the bucket level?
38A company wants to automatically rotate cryptographic keys on a schedule without manual intervention. Which service should they use?
39A company has a fleet of Compute Engine instances that need to access a Cloud Storage bucket. The security team requires that only instances in specific VPC networks can access the bucket, and that the data is encrypted in transit. How can this be achieved?
40A company hosts a web application on Google Kubernetes Engine (GKE) and wants to protect against SQL injection attacks. Which service should they configure?
41A data engineer needs to analyze data in BigQuery but must mask personally identifiable information (PII) based on user roles. Which service should they use?
42A financial institution deploys a containerized application on GKE with Binary Authorization enabled. They want to ensure that only images signed by their internal CI/CD pipeline are deployed, and they also need to allow a break-glass procedure using a specific image from a curated registry. How should they configure Binary Authorization?
43A security architect is designing a zero-trust network for applications running on Compute Engine. They want to enforce that all traffic between VMs must be encrypted and authenticated, regardless of the VPC network. Which approach meets this requirement?
44A company manages secrets for multiple microservices using Secret Manager. They need to ensure that each service can access only its own secrets, and that all access is logged. What is the best IAM architecture?
45Which TWO methods can be used to encrypt data at rest in BigQuery?
46Which TWO practices improve the security of a Cloud Run service?
47Which THREE services can be used to audit changes to resources in a Google Cloud project?
48After executing the command, a security review reveals that the service account sa-bucket-reader can also list buckets in the project, which was not intended. What is the most likely cause?
49Alice needs to read objects in the bucket 'secret-bucket'. Based on the IAM policy, what is her effective access?
50The firewall rule 'allow-ssh' was not created. According to the audit log, what is the most likely reason?
51A company wants to restrict access to a Cloud Storage bucket so that only objects encrypted with a specific Cloud KMS key can be read. Which approach should they use?
52A security engineer is configuring VPC Service Controls to protect a project containing BigQuery datasets with PII. They want to prevent data exfiltration while allowing authorized users to query the data from outside the perimeter. Which configuration meets these requirements?
53A company is deploying a web application on Google Kubernetes Engine (GKE) and needs to ensure that the application's service account can only pull images from a specific Container Registry repository. What is the best practice to enforce this?
54A healthcare organization is storing sensitive patient data in Cloud Storage. They need to ensure that all objects are encrypted with a key managed by their on-premises HSM. Which encryption approach should they use?
55A company wants to use Cloud Armor to protect their HTTP load balancer from SQL injection attacks. Which rule action should they configure to block malicious requests?
56An organization is implementing a data loss prevention (DLP) strategy for Cloud Storage. They want to automatically scan new objects uploaded to a specific bucket and redact sensitive data. Which service and configuration should they use?
57A company wants to allow developers to create service accounts in a project but prevent them from granting the 'roles/iam.serviceAccountUser' role to any user. Which organization policy constraint should they set?
58A company is using Cloud SQL with automatic backups enabled. They want to ensure that backups are encrypted with a customer-managed key (CMEK) and that the key used for backups is different from the one used for the database itself. How can they achieve this?
59A security team wants to receive alerts when a user attempts to grant the 'roles/owner' role to a member outside of the organization's domain. Which log filter should they use to create a log-based metric?
60Which TWO controls should a financial services company implement to comply with PCI DSS requirement related to protecting cardholder data stored in Cloud SQL? (Choose two.)
61Which THREE Google Cloud services can be used to implement a zero-trust architecture for network security? (Choose three.)
62Which TWO security best practices should be applied when configuring Cloud Functions that process sensitive data? (Choose two.)
63A large e-commerce company runs its production workloads on Google Cloud. The security team has implemented a VPC Service Controls perimeter around the production project to prevent data exfiltration. The perimeter includes the project, and access is allowed only from an access level that requires the user to be on the corporate network (192.0.2.0/24). Recently, the DevOps team reported that their CI/CD pipeline, which runs on Cloud Build with a VPC connector attached to a shared VPC in a different project, is failing to deploy to Cloud Run. The pipeline uses a service account with roles/run.admin on the production project. The Cloud Build worker IPs are ephemeral and not in the corporate IP range. The pipeline's deployment step times out with permission errors. Which action will resolve the issue while maintaining security compliance?
64A company is designing a VPC Service Controls perimeter to protect data stored in Google Cloud. They need to allow access from their on-premises network via a Cloud VPN tunnel while blocking all internet-based access. What is the most secure and manageable approach?
65A startup wants to encrypt data at rest in Cloud Storage using Customer-Managed Encryption Keys (CMEK). They have already created a Cloud KMS key ring and key. What additional step is required to enable CMEK for a new Cloud Storage bucket?
66A financial services company must meet PCI DSS compliance requirements for a Google Kubernetes Engine (GKE) cluster processing credit card data. Which TWO actions are required to help achieve PCI DSS compliance? (Choose two.)
67A company is migrating to Google Cloud and needs to implement a least-privilege access model. Which THREE Google Cloud services or features support this goal? (Choose three.)
68A company has a multi-project Google Cloud environment with strict compliance requirements. They need to ensure that all projects enforce a uniform set of constraints, such as requiring CMEK for Compute Engine disk encryption and blocking the use of public IPs on VMs. They have defined these constraints using Organization Policies at the organization level. However, the security team discovers that some projects are not enforcing the constraints because they have been overridden at the project level by the respective project owners. The security team wants a solution that prevents project-level overrides while maintaining the ability to apply exceptions at a folder level when approved. What should they do?
69A healthcare organization stores Protected Health Information (PHI) in Cloud SQL. They have implemented encryption at rest using CMEK and enforce TLS for all connections. To meet HIPAA compliance, they need to ensure that PHI cannot be exfiltrated from the Cloud SQL instance even if an application is compromised. The Cloud SQL instance is accessed by Compute Engine instances in the same VPC using private IPs. The security team wants to add an additional layer of defense against data exfiltration. What should they do?
70A small company wants to store sensitive files in Cloud Storage and ensure they are encrypted with a key that they control and rotate automatically every 90 days. They are currently using the default encryption provided by Google Cloud. They need a solution that is easy to manage and does not require manual key rotation. What should they do?
71A company uses Google Cloud Armor to protect their HTTP load balancer from OWASP Top 10 attacks. After deploying a security policy with pre-configured WAF rules, they notice that some legitimate user requests are being blocked because they match a rule incorrectly. The security team wants to fine-tune the rules to reduce false positives while maintaining strong protection. They also want to evaluate the impact of changes before enforcing them. What should they do?
72Which TWO of the following are valid methods to enforce data residency at rest in Google Cloud?
73A security administrator wants to ensure that a Cloud Storage bucket named `gs://my-bucket` is only accessible by service accounts, not user accounts. Which action should they take?
74A financial services company is migrating a sensitive customer data application to Google Cloud. The application runs on Compute Engine VMs in a VPC. The security team requires that all data at rest in Cloud Storage and BigQuery must be encrypted with customer-managed encryption keys (CMEK). Additionally, the keys must be stored in a different project than the data, and access to the keys must be audited. The operations team has set up a CMEK key in Cloud KMS in a separate project, assigned the Cloud KMS CryptoKey Encrypter/Decrypter role to the data project's Compute Engine service account, and enabled Cloud Storage and BigQuery to use CMEK. However, when the application tries to read from Cloud Storage, it fails with 'Access Denied.' The Cloud KMS key is in project 'kms-proj' and the data is in project 'data-proj'. What is the most likely cause?
The Design for security and compliance domain covers the key concepts tested in this area of the PCA exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCA domains — no account required.
The Courseiva PCA question bank contains 74 questions in the Design for security and compliance domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Design for security and compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included