Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Design for security and compliance practice sets

Google PCA Design for security and compliance • Complete Question Bank

Google PCA Design for security and compliance — All Questions With Answers

Complete Google PCA Design for security and compliance question bank — all 0 questions with answers and detailed explanations.

74
Questions
Free
No signup
Certifications/Google PCA/Practice Test/Design for security and compliance/All Questions
Question 1easymultiple choice
Read the full Design for security and compliance explanation →

A company is migrating sensitive customer data to Google Cloud. They need to ensure data is encrypted at rest and in transit. Which Google Cloud service provides a centralized way to manage encryption keys used by Google Cloud services?

Question 2mediummultiple choice
Read the full Design for security and compliance explanation →

A financial services company runs a multi-tier application on Compute Engine. They need to restrict network access so that only the web tier can communicate with the application tier, and only the application tier can access the database tier. All VMs are in the same VPC network. What is the most secure way to implement this?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization uses Cloud Storage to store protected health information (PHI). They have a compliance requirement to ensure that all objects in the bucket are encrypted with a customer-managed key (CMK) that is rotated every 90 days. They also need to log all access to the bucket and detect anomalous access patterns. Which combination of Google Cloud services should they use?

Question 4mediummultiple choice
Read the full Design for security and compliance explanation →

An e-commerce platform uses Cloud SQL for MySQL to store user profiles and order history. The security team wants to ensure that database administrators (DBAs) cannot view plaintext credit card numbers stored in the database. They also want to minimize application changes. What should they do?

Question 5easymultiple choice
Read the full Design for security and compliance explanation →

A company wants to ensure that only Compute Engine instances with a specific service account can access a Cloud Storage bucket. Which IAM condition should they use?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation operates in multiple regions and must comply with GDPR. They use Cloud Load Balancing to distribute traffic across regional backends. Their security team wants to block traffic from specific countries (e.g., non-EU countries) at the edge. What should they use?

Question 7mediummulti select
Read the full Design for security and compliance explanation →

Which TWO are recommended practices for securing a Kubernetes Engine (GKE) cluster?

Question 8hardmulti select
Read the full Design for security and compliance explanation →

Which THREE are valid methods to protect sensitive data in BigQuery?

Question 9hardmultiple choice
Read the full Design for security and compliance explanation →

Your company runs a multi-region web application on Google Kubernetes Engine (GKE) with pods that process sensitive user data. The application uses Cloud SQL for PostgreSQL as the backend database. Your security team has implemented the following controls: 1) All traffic to the database is encrypted using SSL/TLS. 2) The GKE cluster uses Workload Identity to bind Kubernetes service accounts to IAM service accounts. 3) The Cloud SQL instance is configured with a public IP address and authorized networks to allow only the GKE cluster's node IP ranges. 4) The database credentials are stored in Secret Manager and mounted as volumes in the pods. Recently, a security audit revealed that a pod was compromised due to a container vulnerability. The attacker was able to exfiltrate sensitive data directly from the Cloud SQL database using the credentials from Secret Manager. The security team wants to prevent such exfiltration in the future while minimizing changes to the application code. Which course of action should you recommend?

Question 10mediummultiple choice
Read the full Design for security and compliance explanation →

A company is migrating its on-premises workloads to Google Cloud. They have strict compliance requirements that all data at rest must be encrypted with customer-managed encryption keys (CMEK). Which Google Cloud service should they use to manage the lifecycle of these keys?

Question 11hardmulti select
Read the full Design for security and compliance explanation →

Which TWO of the following are valid methods to control access to Google Cloud resources using Identity and Access Management (IAM)?

Question 12hardmultiple choice
Read the full Design for security and compliance explanation →

An organization has set the IAM policy constraint 'constraints/iam.allowedPolicyMemberDomains' with the values shown. Which of the following users can be granted an IAM role on a project in this organization?

Exhibit

Refer to the exhibit.

```yaml
# organization_policy.yaml
constraint: constraints/iam.allowedPolicyMemberDomains
listPolicy:
  allowedValues:
    - C0xxxxxxx  # Google Cloud organization ID
    - A1b2C3d4E5f6G7h8I9j0K1l2M3n4O5p6  # Cloud Identity domain: example.com
```
Question 13mediummultiple choice
Read the full Design for security and compliance explanation →

Your company has a production environment on Google Cloud that includes Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. Security policies require that all data at rest is encrypted with CMEK, and audit logs must be retained for 7 years. The current configuration uses Google-managed encryption keys. You have been asked to transition to CMEK for all resources. After enabling CMEK for new resources, you discover that the existing resources are not re-encrypted. To comply with the policy, you need to re-encrypt the existing data. What should you do?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier web application on Google Cloud. The application must comply with PCI DSS. Which combination of Google Cloud services should be used to restrict access to the database tier to only the application tier, while also encrypting data at rest and in transit?

Question 15hardmulti select
Read the full Design for security and compliance explanation →

An organization is implementing a data loss prevention (DLP) strategy for sensitive data stored in Cloud Storage. They want to automatically detect and redact credit card numbers in CSV files uploaded to a specific bucket. Which TWO Google Cloud services should they combine to achieve this?

Question 16easymultiple choice
Review the full subnetting walkthrough →

An engineer runs the above command and sees two firewall rules that allow SSH access. A security review requires that SSH access be allowed only from the bastion subnet 10.0.1.0/24. What should the engineer do to meet the requirement?

Network Topology
filter="allowed.ports:22"format=jsonRefer to the exhibit.```"name": "allow-ssh-ingress","network": "default","direction": "INGRESS","priority": 1000,"sourceRanges": ["0.0.0.0/0"],"allowed": [{"IPProtocol": "tcp", "ports": ["22"]}],"targetTags": ["ssh-allowed"]},"name": "allow-ssh-from-bastion","sourceRanges": ["10.0.1.0/24"],
Question 17mediumdrag order
Read the full Design for security and compliance explanation →

Drag and drop the steps to configure a Cloud Load Balancer with a backend service consisting of Compute Engine instances into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 18mediumdrag order
Read the full Design for security and compliance explanation →

Drag and drop the steps to set up a shared VPC in Google Cloud for a multi-project environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 19mediummatching
Read the full Design for security and compliance explanation →

Match each GCP compute service to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual machines with full control

Managed Kubernetes clusters

Serverless containers

Platform as a Service (PaaS)

Event-driven serverless functions

Question 20mediummatching
Read the full Design for security and compliance explanation →

Match each GCP data processing service to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stream and batch data processing (Apache Beam)

Managed Hadoop and Spark clusters

Asynchronous messaging for event ingestion

Visual data integration pipelines

Workflow orchestration (Apache Airflow)

Question 21easymultiple choice
Read the full Design for security and compliance explanation →

A company is deploying a web application on Compute Engine. They want to ensure that only authenticated users can access the application. Which Google Cloud service should they use?

Question 22mediummultiple choice
Read the full Design for security and compliance explanation →

A company stores sensitive customer data in Cloud Storage buckets. They want to ensure that access to these buckets is only allowed from within their VPC network. Which configuration should they use?

Question 23hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation must comply with GDPR and requires that all customer data stored in BigQuery be encrypted using customer-managed encryption keys (CMEK) and that the keys are stored in a specific region. Which combination of steps should they take?

Question 24easymultiple choice
Read the full Design for security and compliance explanation →

A startup wants to grant a new employee read-only access to view all Compute Engine instances in a project. What is the minimum IAM role they should assign?

Question 25mediummultiple choice
Read the full Design for security and compliance explanation →

A company runs a Kubernetes cluster on GKE. They need to ensure that pods cannot access Google Cloud APIs unless explicitly allowed through a service account. Which GKE feature should they use?

Question 26hardmultiple choice
Read the full Design for security and compliance explanation →

An organization has a security policy that prohibits the use of external IP addresses on Compute Engine instances to reduce attack surface. They want to enforce this policy across all new and existing projects. Which approach should they use?

Question 27easymultiple choice
Read the full Design for security and compliance explanation →

A company wants to ensure that all access to their Cloud Storage bucket is logged for compliance purposes. Which type of audit log should they enable?

Question 28mediummultiple choice
Read the full Design for security and compliance explanation →

A company is using Cloud Load Balancing to expose a web application. They want to protect against common web attacks like SQL injection and cross-site scripting. Which Google Cloud service should they configure?

Question 29hardmultiple choice
Read the full Design for security and compliance explanation →

A financial services company must comply with PCI DSS. They use Cloud SQL for MySQL for transaction processing. They need to ensure that all data at rest is encrypted with keys generated and stored in a Hardware Security Module (HSM) and that key rotation occurs every 90 days. Which configuration should they use?

Question 30mediummulti select
Read the full Design for security and compliance explanation →

A company needs to ensure that only approved machine images can be used to create Compute Engine instances to meet security compliance. Which two methods should they use? (Choose two.)

Question 31hardmulti select
Read the full Design for security and compliance explanation →

A company uses Cloud KMS to encrypt sensitive data. They need to ensure that encryption key usage is audited and that keys are rotated automatically every 30 days. Which two actions should they take? (Choose two.)

Question 32easymulti select
Read the full Design for security and compliance explanation →

A company is designing a data processing pipeline in Google Cloud that must be HIPAA compliant. Which three security features should they implement? (Choose three.)

Question 33easymultiple choice
Read the full Design for security and compliance explanation →

What is the effective access of the service account sa@project.iam.gserviceaccount.com to the bucket?

Exhibit

Refer to the exhibit.

```json
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "user:bob@example.com",
        "serviceAccount:sa@project.iam.gserviceaccount.com"
      ]
    }
  ]
}
```
Question 34mediummultiple choice
Read the full Design for security and compliance explanation →

Which traffic will this rule allow?

Exhibit

Refer to the exhibit.

```
gcloud compute firewall-rules describe my-rule
---
allowed:
- IPProtocol: tcp
  ports:
  - 80
  - 443
direction: INGRESS
sourceRanges:
- 10.0.0.0/8
- 192.168.0.0/16
targetTags:
- web-server
```
Question 35hardmultiple choice
Read the full Design for security and compliance explanation →

When will the key be automatically rotated?

Network Topology
location us-central1keyring my-keyringRefer to the exhibit.```createTime: '2024-01-01T00:00:00Z'destroyScheduledDuration: 86400simportOnly: falselabels:environment: productionname: projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-keynextRotationTime: '2024-04-01T00:00:00Z'primary:name: projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/1state: ENABLEDrotationPeriod: 7776000sversionTemplate:algorithm: GOOGLE_SYMMETRIC_ENCRYPTIONprotectionLevel: HSM
Question 36easymultiple choice
Read the full Design for security and compliance explanation →

A company wants to restrict data exfiltration from its Google Cloud projects by preventing resources from copying data to external IP addresses. Which service should they use?

Question 37easymultiple choice
Read the full Design for security and compliance explanation →

A data scientist needs read-only access to a Cloud Storage bucket containing training data. What is the least privileged IAM role to grant at the bucket level?

Question 38easymultiple choice
Read the full Design for security and compliance explanation →

A company wants to automatically rotate cryptographic keys on a schedule without manual intervention. Which service should they use?

Question 39mediummultiple choice
Read the full Design for security and compliance explanation →

A company has a fleet of Compute Engine instances that need to access a Cloud Storage bucket. The security team requires that only instances in specific VPC networks can access the bucket, and that the data is encrypted in transit. How can this be achieved?

Question 40mediummultiple choice
Read the full Design for security and compliance explanation →

A company hosts a web application on Google Kubernetes Engine (GKE) and wants to protect against SQL injection attacks. Which service should they configure?

Question 41mediummultiple choice
Read the full Design for security and compliance explanation →

A data engineer needs to analyze data in BigQuery but must mask personally identifiable information (PII) based on user roles. Which service should they use?

Question 42hardmultiple choice
Read the full Design for security and compliance explanation →

A financial institution deploys a containerized application on GKE with Binary Authorization enabled. They want to ensure that only images signed by their internal CI/CD pipeline are deployed, and they also need to allow a break-glass procedure using a specific image from a curated registry. How should they configure Binary Authorization?

Question 43hardmultiple choice
Read the full Design for security and compliance explanation →

A security architect is designing a zero-trust network for applications running on Compute Engine. They want to enforce that all traffic between VMs must be encrypted and authenticated, regardless of the VPC network. Which approach meets this requirement?

Question 44hardmultiple choice
Read the full Design for security and compliance explanation →

A company manages secrets for multiple microservices using Secret Manager. They need to ensure that each service can access only its own secrets, and that all access is logged. What is the best IAM architecture?

Question 45easymulti select
Read the full Design for security and compliance explanation →

Which TWO methods can be used to encrypt data at rest in BigQuery?

Question 46mediummulti select
Read the full Design for security and compliance explanation →

Which TWO practices improve the security of a Cloud Run service?

Question 47hardmulti select
Read the full Design for security and compliance explanation →

Which THREE services can be used to audit changes to resources in a Google Cloud project?

Question 48easymultiple choice
Read the full Design for security and compliance explanation →

After executing the command, a security review reveals that the service account sa-bucket-reader can also list buckets in the project, which was not intended. What is the most likely cause?

Exhibit

Refer to the exhibit.

```bash
$ gcloud projects set-iam-policy my-project policy.json
Updated IAM policy for project [my-project].
$
```

Contents of policy.json:
```json
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "serviceAccount:sa-bucket-reader@my-project.iam.gserviceaccount.com"
      ]
    }
  ],
  "etag": "BwVY3Y8Y8Y8="
}
```
Question 49mediummultiple choice
Read the full Design for security and compliance explanation →

Alice needs to read objects in the bucket 'secret-bucket'. Based on the IAM policy, what is her effective access?

Exhibit

Refer to the exhibit.

IAM policy for project my-project:
```json
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": ["user:alice@example.com"]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": ["user:alice@example.com"]
    }
  ],
  "denyRules": [
    {
      "denialCondition": {
        "expression": "resource.name.startsWith('projects/my-project/buckets/secret-bucket')"
      },
      "members": ["user:alice@example.com"],
      "role": "roles/storage.objectViewer"
    }
  ]
}
```
Question 50hardmultiple choice
Read the full Design for security and compliance explanation →

The firewall rule 'allow-ssh' was not created. According to the audit log, what is the most likely reason?

Exhibit

Refer to the exhibit.

Cloud Audit Log entry:
```json
{
  "protoPayload": {
    "methodName": "v1.compute.firewalls.insert",
    "resourceName": "projects/my-project/global/firewalls/allow-ssh",
    "authenticationInfo": {
      "principalEmail": "admin@example.com"
    },
    "authorizationInfo": [
      {
        "permission": "compute.firewalls.create",
        "granted": false,
        "resourceAttributes": {
          "name": "projects/my-project/global/firewalls"
        }
      }
    ],
    "status": {
      "code": 7,
      "message": "Permission denied"
    }
  }
}
```
Question 51mediummultiple choice
Read the full Design for security and compliance explanation →

A company wants to restrict access to a Cloud Storage bucket so that only objects encrypted with a specific Cloud KMS key can be read. Which approach should they use?

Question 52hardmultiple choice
Read the full Design for security and compliance explanation →

A security engineer is configuring VPC Service Controls to protect a project containing BigQuery datasets with PII. They want to prevent data exfiltration while allowing authorized users to query the data from outside the perimeter. Which configuration meets these requirements?

Question 53easymultiple choice
Read the full Design for security and compliance explanation →

A company is deploying a web application on Google Kubernetes Engine (GKE) and needs to ensure that the application's service account can only pull images from a specific Container Registry repository. What is the best practice to enforce this?

Question 54hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is storing sensitive patient data in Cloud Storage. They need to ensure that all objects are encrypted with a key managed by their on-premises HSM. Which encryption approach should they use?

Question 55easymultiple choice
Read the full Design for security and compliance explanation →

A company wants to use Cloud Armor to protect their HTTP load balancer from SQL injection attacks. Which rule action should they configure to block malicious requests?

Question 56mediummultiple choice
Read the full Design for security and compliance explanation →

An organization is implementing a data loss prevention (DLP) strategy for Cloud Storage. They want to automatically scan new objects uploaded to a specific bucket and redact sensitive data. Which service and configuration should they use?

Question 57mediummultiple choice
Read the full Design for security and compliance explanation →

A company wants to allow developers to create service accounts in a project but prevent them from granting the 'roles/iam.serviceAccountUser' role to any user. Which organization policy constraint should they set?

Question 58hardmultiple choice
Read the full Design for security and compliance explanation →

A company is using Cloud SQL with automatic backups enabled. They want to ensure that backups are encrypted with a customer-managed key (CMEK) and that the key used for backups is different from the one used for the database itself. How can they achieve this?

Question 59easymultiple choice
Read the full Design for security and compliance explanation →

A security team wants to receive alerts when a user attempts to grant the 'roles/owner' role to a member outside of the organization's domain. Which log filter should they use to create a log-based metric?

Question 60mediummulti select
Read the full Design for security and compliance explanation →

Which TWO controls should a financial services company implement to comply with PCI DSS requirement related to protecting cardholder data stored in Cloud SQL? (Choose two.)

Question 61hardmulti select
Read the full Design for security and compliance explanation →

Which THREE Google Cloud services can be used to implement a zero-trust architecture for network security? (Choose three.)

Question 62mediummulti select
Read the full Design for security and compliance explanation →

Which TWO security best practices should be applied when configuring Cloud Functions that process sensitive data? (Choose two.)

Question 63hardmultiple choice
Read the full Design for security and compliance explanation →

A large e-commerce company runs its production workloads on Google Cloud. The security team has implemented a VPC Service Controls perimeter around the production project to prevent data exfiltration. The perimeter includes the project, and access is allowed only from an access level that requires the user to be on the corporate network (192.0.2.0/24). Recently, the DevOps team reported that their CI/CD pipeline, which runs on Cloud Build with a VPC connector attached to a shared VPC in a different project, is failing to deploy to Cloud Run. The pipeline uses a service account with roles/run.admin on the production project. The Cloud Build worker IPs are ephemeral and not in the corporate IP range. The pipeline's deployment step times out with permission errors. Which action will resolve the issue while maintaining security compliance?

Question 64mediummultiple choice
Read the full VPN explanation →

A company is designing a VPC Service Controls perimeter to protect data stored in Google Cloud. They need to allow access from their on-premises network via a Cloud VPN tunnel while blocking all internet-based access. What is the most secure and manageable approach?

Question 65easymultiple choice
Read the full Design for security and compliance explanation →

A startup wants to encrypt data at rest in Cloud Storage using Customer-Managed Encryption Keys (CMEK). They have already created a Cloud KMS key ring and key. What additional step is required to enable CMEK for a new Cloud Storage bucket?

Question 66hardmulti select
Read the full Design for security and compliance explanation →

A financial services company must meet PCI DSS compliance requirements for a Google Kubernetes Engine (GKE) cluster processing credit card data. Which TWO actions are required to help achieve PCI DSS compliance? (Choose two.)

Question 67mediummulti select
Read the full Design for security and compliance explanation →

A company is migrating to Google Cloud and needs to implement a least-privilege access model. Which THREE Google Cloud services or features support this goal? (Choose three.)

Question 68mediummultiple choice
Read the full Design for security and compliance explanation →

A company has a multi-project Google Cloud environment with strict compliance requirements. They need to ensure that all projects enforce a uniform set of constraints, such as requiring CMEK for Compute Engine disk encryption and blocking the use of public IPs on VMs. They have defined these constraints using Organization Policies at the organization level. However, the security team discovers that some projects are not enforcing the constraints because they have been overridden at the project level by the respective project owners. The security team wants a solution that prevents project-level overrides while maintaining the ability to apply exceptions at a folder level when approved. What should they do?

Question 69hardmultiple choice
Read the full Design for security and compliance explanation →

A healthcare organization stores Protected Health Information (PHI) in Cloud SQL. They have implemented encryption at rest using CMEK and enforce TLS for all connections. To meet HIPAA compliance, they need to ensure that PHI cannot be exfiltrated from the Cloud SQL instance even if an application is compromised. The Cloud SQL instance is accessed by Compute Engine instances in the same VPC using private IPs. The security team wants to add an additional layer of defense against data exfiltration. What should they do?

Question 70easymultiple choice
Read the full Design for security and compliance explanation →

A small company wants to store sensitive files in Cloud Storage and ensure they are encrypted with a key that they control and rotate automatically every 90 days. They are currently using the default encryption provided by Google Cloud. They need a solution that is easy to manage and does not require manual key rotation. What should they do?

Question 71mediummultiple choice
Read the full Design for security and compliance explanation →

A company uses Google Cloud Armor to protect their HTTP load balancer from OWASP Top 10 attacks. After deploying a security policy with pre-configured WAF rules, they notice that some legitimate user requests are being blocked because they match a rule incorrectly. The security team wants to fine-tune the rules to reduce false positives while maintaining strong protection. They also want to evaluate the impact of changes before enforcing them. What should they do?

Question 72mediummulti select
Read the full Design for security and compliance explanation →

Which TWO of the following are valid methods to enforce data residency at rest in Google Cloud?

Question 73hardmultiple choice
Read the full Design for security and compliance explanation →

A security administrator wants to ensure that a Cloud Storage bucket named `gs://my-bucket` is only accessible by service accounts, not user accounts. Which action should they take?

Exhibit

Refer to the exhibit.

{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "serviceAccount:my-sa@project.iam.gserviceaccount.com"
      ]
    },
    {
      "role": "roles/storage.objectCreator",
      "members": [
        "user:bob@example.com"
      ]
    }
  ],
  "etag": "BwWw=="
}
Question 74easymultiple choice
Read the full Design for security and compliance explanation →

A financial services company is migrating a sensitive customer data application to Google Cloud. The application runs on Compute Engine VMs in a VPC. The security team requires that all data at rest in Cloud Storage and BigQuery must be encrypted with customer-managed encryption keys (CMEK). Additionally, the keys must be stored in a different project than the data, and access to the keys must be audited. The operations team has set up a CMEK key in Cloud KMS in a separate project, assigned the Cloud KMS CryptoKey Encrypter/Decrypter role to the data project's Compute Engine service account, and enabled Cloud Storage and BigQuery to use CMEK. However, when the application tries to read from Cloud Storage, it fails with 'Access Denied.' The Cloud KMS key is in project 'kms-proj' and the data is in project 'data-proj'. What is the most likely cause?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

Google PCA Practice Test 1 — 10 Questions→Google PCA Practice Test 2 — 10 Questions→Google PCA Practice Test 3 — 10 Questions→Google PCA Practice Test 4 — 10 Questions→Google PCA Practice Test 5 — 10 Questions→Google PCA Practice Exam 1 — 20 Questions→Google PCA Practice Exam 2 — 20 Questions→Google PCA Practice Exam 3 — 20 Questions→Google PCA Practice Exam 4 — 20 Questions→Free Google PCA Practice Test 1 — 30 Questions→Free Google PCA Practice Test 2 — 30 Questions→Free Google PCA Practice Test 3 — 30 Questions→Google PCA Practice Questions 1 — 50 Questions→Google PCA Practice Questions 2 — 50 Questions→Google PCA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Design and plan a cloud solution architectureManage and provision cloud infrastructureDesign for security and complianceAnalyze and optimize technical and business processesManage implementation of cloud architectureEnsure solution and operations reliability

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Design for security and compliance setsAll Design for security and compliance questionsGoogle PCA Practice Hub