Practice PCSE Ensuring data protection questions with full explanations on every answer.
Start practicing
Ensuring data protection — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company stores sensitive customer data in Cloud Storage. They want to ensure that data is encrypted at rest using customer-managed encryption keys (CMEK) and that access to the key is audited. Which approach should they use?
2A security engineer needs to protect sensitive data in BigQuery. The data includes columns with personally identifiable information (PII). They want to automatically mask PII data for users with the role 'analyst' but allow full access for 'admin' users. Which approach should they use?
3A company is using Cloud SQL for MySQL to store financial data. They need to ensure that all data is encrypted at rest and in transit. What should they do?
4A company is migrating on-premises data to Cloud Storage. They have regulatory requirements to encrypt data using keys managed by their on-premises hardware security module (HSM). Which solution should they use?
5A company has a Cloud Storage bucket containing sensitive data. They want to ensure that only users with specific IAM roles can access the bucket, and that access is logged for audit purposes. They also want to prevent public access. Which configuration steps should they take?
6A company is using Cloud Data Loss Prevention (DLP) to inspect and de-identify sensitive data in Cloud Storage. They want to classify data using infoTypes and apply de-identification techniques. Which TWO actions should they take?
7A company uses BigQuery to store sensitive data and wants to implement data masking using policy tags. They have three user groups: data_engineers (full access), data_analysts (masked PII), and data_scientists (masked financial data). Which THREE steps should they take?
8A security engineer runs the command in the exhibit. The command fails with an error: 'Permission denied: cryptoKeyVersions.encrypt'. What is the most likely cause?
9A security engineer reviews the IAM policy for a Cloud Storage bucket as shown in the exhibit. Alice reports that she cannot upload objects to the bucket, while Bob can view objects. What is the most likely issue?
10A company stores sensitive customer data in Cloud Storage and uses CMEK with Cloud KMS. They want to ensure that data in transit to the storage bucket is always encrypted using TLS 1.2 or higher. Which configuration should they implement?
11A healthcare organization stores PHI in BigQuery tables with row-level access policies. They need to ensure that data is automatically de-identified when exported to Cloud Storage for analytics. What is the most scalable solution with minimal manual intervention?
12A company uses Cloud KMS to protect encryption keys for their Cloud SQL databases. They want to rotate keys every 30 days and ensure that old keys are retained for at least 90 days. What is the recommended approach?
13Which TWO actions should a security engineer take to protect sensitive data in Cloud Storage buckets from accidental public exposure? (Choose two.)
14Which THREE steps are required to implement field-level encryption for sensitive columns in a Cloud SQL for PostgreSQL database using Cloud KMS? (Choose three.)
15Refer to the exhibit. A security engineer runs this command to check bucket permissions. What is the most significant security issue?
16You are a security engineer for a healthcare organization. You need to protect sensitive patient data stored in Cloud Storage. You want to ensure that data is encrypted at rest using a customer-managed key (CMEK) and that access to the key is logged. You also need to prevent data exfiltration by limiting which service accounts can decrypt data. Which TWO steps should you take? (Choose two.)
17Refer to the exhibit. You are analyzing the IAM policy for a project. You need to ensure that only authenticated users can access objects in bucket1 under the prefix "reports/". Which of the following statements is correct?
18Your company runs a data analytics platform on Google Cloud that processes sensitive financial data. Data is ingested from various sources into a Cloud Storage bucket, then processed by Dataflow jobs, and final results are stored in BigQuery. You have implemented the following security controls: - VPC Service Controls perimeter around the project - Cloud KMS CMEK for all storage services - IAM conditions restricting access based on tags - Cloud Audit Logs enabled for all services Recently, an auditor discovered that a compromised service account was able to read data from the Cloud Storage bucket even though it was outside the VPC Service Controls perimeter. The auditor reviewed the logs and found that the access came from a Compute Engine instance that was running within the same project. What is the most likely reason the VPC Service Controls perimeter did not block this access?
19Drag and drop the steps to rotate a customer-managed encryption key (CMEK) in Cloud KMS in the correct order.
20Drag and drop the steps to configure a security scanner to scan a web application in the correct order.
21Match each CVE or security concept to its description.
22Match each access control mechanism to its description.
23A company stores sensitive customer data in Cloud Storage. They want to ensure that only users with explicit IAM permissions can decrypt the data, and that Google does not have access to the encryption keys. Which encryption option should they use?
24A security engineer needs to audit all attempts to access a Cloud Storage bucket, including successful and failed attempts. Which logging option should they enable?
25An organization wants to prevent data exfiltration from a Google Cloud project by restricting the copying of data from Cloud Storage to external IPs. Which Google Cloud service should they use?
26A company uses BigQuery to store analytics data. They need to restrict access to specific rows based on the user's department. What should they implement?
27A financial institution uses Cloud KMS to manage encryption keys. They want to ensure that key material is never exported from the KMS service. Which key protection method should they use?
28A healthcare organization stores Protected Health Information (PHI) in Cloud Storage. They need to de-identify data before sharing it with researchers. Which service should they use?
29A company uses Cloud SQL for MySQL with automated backups. They want to ensure that backup data is encrypted with a key that they manage and rotate on a schedule, separate from the primary database encryption. What should they do?
30An organization uses BigQuery with column-level security. They have a column containing social security numbers (SSNs) that should only be visible to users with the 'PII_Viewer' role. How should they configure this?
31A company uses Cloud Storage with CMEK. The Cloud KMS key is disabled accidentally by an administrator. What will happen to existing objects encrypted with that key?
32A security engineer is designing data protection for Cloud Storage. Which TWO methods can be used to enforce encryption at rest for objects? (Choose TWO.)
33A company is implementing data loss prevention (DLP) for BigQuery. Which THREE capabilities are provided by Cloud DLP? (Choose THREE.)
34An organization wants to ensure that only compute instances in a specific VPC can access a Cloud Storage bucket. They also want to prevent the bucket data from being downloaded to an external IP. Which TWO services should they combine? (Choose TWO.)
35Refer to the exhibit. A security engineer runs the following command to check encryption settings on a Cloud Storage bucket. What does the output indicate about encryption?
36Refer to the exhibit. A security engineer runs the following IAM policy command for a Cloud Storage bucket. What access does the bindings grant?
37Refer to the exhibit. A security administrator is troubleshooting why a user cannot access a BigQuery dataset. The user analyst@example.com is not a member of data-team@example.com. The user is trying to query a table in the dataset. What is the most likely reason for the denial?
38A financial institution wants to encrypt data in Cloud Storage using keys that they rotate monthly through Cloud KMS. Which key management option should they use?
39A multinational corporation is required to protect sensitive data in BigQuery using column-level encryption. They want to use a customer-managed key stored in Cloud KMS. What is the correct approach?
40A company uses Cloud SQL for PostgreSQL with CMEK. They need to ensure that the Cloud SQL instance can only be accessed by authorized compute resources that have the correct IAM permissions to decrypt the data. What additional configuration is required to enforce access control?
41A developer accidentally committed a file containing a service account key to a public GitHub repository. Which action should be taken immediately to invalidate the compromised key?
42You want to encrypt data in Google Cloud Storage using a key that is managed and stored in a third-party key management system outside of Google Cloud. Which feature should you use?
43A company uses Cloud KMS to protect encryption keys for various applications. They need to ensure that keys are automatically rotated every 90 days and that the rotation does not require re-encrypting all data. Which key type and rotation strategy should they use?
44An organization uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically remove credit card numbers before the data is accessed by analysts but still allow the raw data for auditing purposes. Which DLP technique should they use?
45A company is deploying a microservices architecture on Google Kubernetes Engine (GKE). They need to securely store and access database credentials, API keys, and other secrets. They want to avoid storing secrets in plaintext in the container image or Kubernetes manifests. Which solution should they use?
46A healthcare organization is designing a data pipeline that ingests patient health records into Cloud Storage, then processes them with Dataflow for analytics. They must ensure that data is encrypted at rest and in transit, and that only authorized users can access the raw data. They also need to guarantee that the encryption keys are stored outside of Google Cloud. Which solution meets all requirements?
47Which two Cloud Storage encryption options allow the customer to supply or manage the encryption keys? (Choose two.)
48Which three actions help protect Cloud KMS key material? (Choose three.)
49Which two best practices for managing secrets in Secret Manager? (Choose two.)
50Refer to the exhibit. A security engineer has created this IAM policy for a Cloud KMS key. The service account my-sa is used by a Compute Engine VM to encrypt data before storing it in Cloud Storage. User alice needs to decrypt the data for analysis. Which statement is true?
51Refer to the exhibit. Based on the exhibit, the corporate security policy requires that all Cloud KMS symmetric keys have automatic rotation enabled. Which statement is true?
52Refer to the exhibit. A security engineer needs to ensure that all objects uploaded to the bucket are automatically encrypted with the specified KMS key. They also need to preserve older versions of objects. Which statement accurately describes the bucket configuration?
53A company wants to ensure that all data stored in Cloud Storage buckets is encrypted with a customer-managed key (CMEK) that is managed in Cloud KMS. The security team requires that only authorized applications can access the key. Which configuration step should be taken to achieve this?
54A company uses Cloud Data Loss Prevention (DLP) to inspect sensitive data in Cloud Storage. They want to automatically redact credit card numbers found in text files before the files are accessed by downstream applications. Which DLP method should be used?
55A multinational organization must store customer data only in specific geographic regions to comply with data residency regulations. They use Cloud Spanner for their primary database. What should they do to enforce that data is stored only in approved regions?
56A security engineer needs to encrypt data at rest in Cloud Storage using a key that is not managed by Google Cloud. The key must be stored on-premises and provided with each API call for data access. Which encryption approach should be used?
57A company uses VPC Service Controls to protect data in BigQuery and Cloud Storage. They need to allow a third-party application running outside the service perimeter to query BigQuery datasets within the perimeter. What should they configure?
58A financial institution uses Cloud HSM to protect cryptographic keys used for signing sensitive transactions. They want to ensure that keys are never exportable and that key usage is logged. Which key type should they create in Cloud HSM?
59An organization uses Cloud DLP to scan a Cloud SQL database for PII. They want to automatically pseudonymize email addresses found in a specific column using a deterministic encryption that can be reversed for authorized users. The key must be stored in Cloud KMS. Which DLP transformation should they configure?
60A security team has a Cloud KMS key used for encrypting Cloud Storage objects. They need to ensure that when the key is rotated, old data remains decryptable without manual re-encryption. They also want to minimize the number of key versions. Which approach should they take?
61A company needs to meet a regulatory requirement that cryptographic keys for data at rest in Google Cloud must be managed in an on-premises HSM and never leave the HSM. Google Cloud services should be able to use those keys for encryption/decryption. Which solution should they implement?
62Which TWO of the following are valid methods to protect data in transit between on-premises and Google Cloud using Cloud VPN?
63Which THREE of the following are best practices for using Cloud DLP to protect sensitive data in BigQuery?
64A company is implementing confidential VMs with Shielded VM and data encryption. Which two actions must be taken to ensure data protection for confidential compute workloads?
65Refer to the exhibit. A security engineer sees this configuration for a Cloud Storage bucket. What does this indicate about the encryption of objects in this bucket?
66Refer to the exhibit. A security engineer is reviewing a Cloud KMS key. What can be concluded about this key?
67Refer to the exhibit. An auditor notices this log entry. Which of the following is true about this event?
68A company wants to ensure that all data stored in Cloud Storage buckets is encrypted at rest using a customer-managed key that is automatically rotated every 90 days. What should they do?
69A multinational organization must ensure that data for European users is stored only within the European Union to comply with GDPR. They use Cloud Storage and BigQuery. Which design should they implement?
70A security engineer needs to configure Cloud KMS key rotation so that existing ciphertext can still be decrypted with old key versions, but new encryption uses the latest version. Which key management practice meets this requirement?
71A retail company hosts an e-commerce website on Compute Engine behind an HTTPS load balancer. They want to encrypt traffic between the load balancer and backend instances. What should they do?
72A healthcare organization ingests patient data into Cloud Storage and then processes it with Dataflow. They need to de-identify sensitive fields like Social Security numbers before storing in BigQuery. Which approach should they use?
73A financial services company wants to ensure that Google Cloud staff cannot access their encryption keys or the plaintext data. They must meet regulatory requirements for data sovereignty. Which combination of services should they use?
74A small business stores backup archives in Cloud Storage and wants to encrypt them at rest using a key that is automatically rotated annually. They do not want to manage key material themselves. Which encryption option should they use?
75A company uses Cloud Functions to process employee data and wants to ensure that personally identifiable information (PII) is redacted from log output. Which approach should they take?
76A company must comply with PCI DSS requirements that mandate the use of a hardware security module (HSM) for key storage. They plan to use Cloud KMS for key management. Which implementation meets compliance?
77Which TWO options are required to use Cloud DLP to successfully inspect data in a Cloud Storage bucket?
78Which THREE are best practices for managing encryption keys in Google Cloud?
79Which THREE Google Cloud services can encrypt data at rest?
80Refer to the exhibit. The security team created this key for encrypting database backups. After an audit, they found that data encrypted before May 1, 2023, cannot be decrypted. What is the most likely cause?
81A global e-commerce company uses Google Cloud to host its platform. They store customer payment data in Cloud SQL and use Cloud Storage for backups. Currently, they rely on Google-managed encryption keys. A new compliance requirement mandates that all encryption keys must be stored in a hardware security module (HSM) and rotated every 30 days. Additionally, they need to retain backup data for 7 years, during which the keys used to encrypt the backups must be available for decryption. They have created a Cloud HSM key ring and a key with a rotation period of 2592000 seconds (30 days). After configuring Cloud SQL and Cloud Storage to use the Cloud HSM key, they notice that backups older than 30 days cannot be decrypted. The company's security engineer verified that the key versions are still present. What is the most likely cause and how should it be resolved?
82A healthcare startup is building a data pipeline on Google Cloud. They receive patient data via a REST API running on Cloud Run. The data includes sensitive health information that must be de-identified before being stored in BigQuery. They plan to use Cloud DLP to inspect and transform the data. However, due to latency requirements, they need to de-identify the data within 5 seconds of receiving the request. They have set up a Cloud DLP job to inspect the data synchronously using the DLP API. During testing, they notice that the de-identification sometimes takes over 10 seconds, causing API timeouts. They want to reduce the latency without compromising security. What should they do?
83A financial services company uses Cloud Storage to store sensitive customer data. They want to encrypt this data at rest using customer-managed encryption keys (CMEK) and automate key rotation every 90 days. Which approach should they take?
84A healthcare organization needs to redact Social Security Numbers (SSNs) from patient records stored in Cloud Storage before sharing them with a research partner. They plan to use Cloud DLP. Which TWO actions should they take to configure the DLP job correctly? (Choose two.)
85A large enterprise runs analytics workloads on BigQuery containing sensitive financial data. They have implemented VPC Service Controls (VPC SC) to create a perimeter around the BigQuery dataset, allowing access only from a specific VPC network. Despite this, security auditors discovered that data was accessed from an IP address outside the perimeter. After investigation, they found the access originated from a user's personal laptop using the Google Cloud Console. The company's security policy requires that sensitive data can only be accessed from corporate-managed devices. What should they do to prevent this type of access?
86A company runs a containerized application on Google Kubernetes Engine (GKE) that reads from a Cloud Storage bucket encrypted with a customer-managed key (CMEK) in Cloud KMS. The application uses a dedicated Google service account with the roles/storage.objectViewer role and a Cloud KMS CryptoKey Decrypter binding on the key. After a scheduled key rotation, the application started receiving '403 Access Denied' errors when accessing objects. The Cloud KMS key has multiple versions. The service account's IAM permissions have not changed. What is the most likely cause and the appropriate fix?
87A large enterprise is using Cloud Data Loss Prevention (DLP) to inspect a Cloud Storage bucket containing millions of files for sensitive data like credit card numbers and health information. The DLP inspection job is configured to scan the entire bucket with a schedule. Recently, the job has been failing with a 'Quota exceeded' error for the DLP inspect requests quota. The team needs to continue inspecting all files without increasing the quota limit, as the quota increase request would take weeks. They cannot skip any files due to compliance requirements. What should they do to work around the quota limit while inspecting all files?
88A development team uses Cloud Secret Manager to store database credentials for an application running on Compute Engine. The application reads the secret using the Secret Manager API. After the team rotates the secret by adding a new version and setting it as the latest, the application continues to use the old secret version and fails to authenticate. The application is configured to fetch the secret with version 'latest' at startup. The team checks that the Compute Engine service account has the roles/secretmanager.secretAccessor role on the secret. What is the most likely cause of the issue?
89A company runs a Cloud SQL for PostgreSQL instance that stores customer data. They must encrypt the database at rest using customer-managed encryption keys (CMEK) to meet regulatory requirements. The instance is currently using Google-managed encryption. What must they do to implement CMEK? The company wants to minimize downtime and avoid data loss.
90Alice has the role roles/storage.objectAdmin on the bucket my-bucket via the IAM policy shown. She is unable to access the object gs://my-bucket/reports/data.csv. What is the most likely reason?
91A company wants to encrypt data at rest in Cloud SQL. Which TWO methods are supported? (Choose TWO.)
92A company operates a hybrid cloud environment with on-premises data centers and Google Cloud Platform. They store sensitive customer data in Cloud Storage buckets and use Data Loss Prevention (DLP) to scan for and inspect sensitive content. They have automated DLP inspection jobs that run periodically, but they want to automatically redact sensitive data (e.g., Social Security numbers) in any new object as soon as it is written to a specific bucket. The redacted version should replace the original object in the same bucket. Which of the following is the most effective and recommended approach?
The Ensuring data protection domain covers the key concepts tested in this area of the PCSE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCSE domains — no account required.
The Courseiva PCSE question bank contains 92 questions in the Ensuring data protection domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Ensuring data protection domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included