Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPCSEDomainsEnsuring data protection
PCSEFree — No Signup

Ensuring data protection

Practice PCSE Ensuring data protection questions with full explanations on every answer.

92questions

Start practicing

Ensuring data protection — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

PCSE Domains

Configuring network securityConfiguring access within a cloud solution environmentEnsuring data protectionManaging operations in a cloud solution environmentSupporting compliance requirements

Practice Ensuring data protection questions

10Q20Q30Q50Q

All PCSE Ensuring data protection questions (92)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company stores sensitive customer data in Cloud Storage. They want to ensure that data is encrypted at rest using customer-managed encryption keys (CMEK) and that access to the key is audited. Which approach should they use?

2

A security engineer needs to protect sensitive data in BigQuery. The data includes columns with personally identifiable information (PII). They want to automatically mask PII data for users with the role 'analyst' but allow full access for 'admin' users. Which approach should they use?

3

A company is using Cloud SQL for MySQL to store financial data. They need to ensure that all data is encrypted at rest and in transit. What should they do?

4

A company is migrating on-premises data to Cloud Storage. They have regulatory requirements to encrypt data using keys managed by their on-premises hardware security module (HSM). Which solution should they use?

5

A company has a Cloud Storage bucket containing sensitive data. They want to ensure that only users with specific IAM roles can access the bucket, and that access is logged for audit purposes. They also want to prevent public access. Which configuration steps should they take?

6

A company is using Cloud Data Loss Prevention (DLP) to inspect and de-identify sensitive data in Cloud Storage. They want to classify data using infoTypes and apply de-identification techniques. Which TWO actions should they take?

7

A company uses BigQuery to store sensitive data and wants to implement data masking using policy tags. They have three user groups: data_engineers (full access), data_analysts (masked PII), and data_scientists (masked financial data). Which THREE steps should they take?

8

A security engineer runs the command in the exhibit. The command fails with an error: 'Permission denied: cryptoKeyVersions.encrypt'. What is the most likely cause?

9

A security engineer reviews the IAM policy for a Cloud Storage bucket as shown in the exhibit. Alice reports that she cannot upload objects to the bucket, while Bob can view objects. What is the most likely issue?

10

A company stores sensitive customer data in Cloud Storage and uses CMEK with Cloud KMS. They want to ensure that data in transit to the storage bucket is always encrypted using TLS 1.2 or higher. Which configuration should they implement?

11

A healthcare organization stores PHI in BigQuery tables with row-level access policies. They need to ensure that data is automatically de-identified when exported to Cloud Storage for analytics. What is the most scalable solution with minimal manual intervention?

12

A company uses Cloud KMS to protect encryption keys for their Cloud SQL databases. They want to rotate keys every 30 days and ensure that old keys are retained for at least 90 days. What is the recommended approach?

13

Which TWO actions should a security engineer take to protect sensitive data in Cloud Storage buckets from accidental public exposure? (Choose two.)

14

Which THREE steps are required to implement field-level encryption for sensitive columns in a Cloud SQL for PostgreSQL database using Cloud KMS? (Choose three.)

15

Refer to the exhibit. A security engineer runs this command to check bucket permissions. What is the most significant security issue?

16

You are a security engineer for a healthcare organization. You need to protect sensitive patient data stored in Cloud Storage. You want to ensure that data is encrypted at rest using a customer-managed key (CMEK) and that access to the key is logged. You also need to prevent data exfiltration by limiting which service accounts can decrypt data. Which TWO steps should you take? (Choose two.)

17

Refer to the exhibit. You are analyzing the IAM policy for a project. You need to ensure that only authenticated users can access objects in bucket1 under the prefix "reports/". Which of the following statements is correct?

18

Your company runs a data analytics platform on Google Cloud that processes sensitive financial data. Data is ingested from various sources into a Cloud Storage bucket, then processed by Dataflow jobs, and final results are stored in BigQuery. You have implemented the following security controls: - VPC Service Controls perimeter around the project - Cloud KMS CMEK for all storage services - IAM conditions restricting access based on tags - Cloud Audit Logs enabled for all services Recently, an auditor discovered that a compromised service account was able to read data from the Cloud Storage bucket even though it was outside the VPC Service Controls perimeter. The auditor reviewed the logs and found that the access came from a Compute Engine instance that was running within the same project. What is the most likely reason the VPC Service Controls perimeter did not block this access?

19

Drag and drop the steps to rotate a customer-managed encryption key (CMEK) in Cloud KMS in the correct order.

20

Drag and drop the steps to configure a security scanner to scan a web application in the correct order.

21

Match each CVE or security concept to its description.

22

Match each access control mechanism to its description.

23

A company stores sensitive customer data in Cloud Storage. They want to ensure that only users with explicit IAM permissions can decrypt the data, and that Google does not have access to the encryption keys. Which encryption option should they use?

24

A security engineer needs to audit all attempts to access a Cloud Storage bucket, including successful and failed attempts. Which logging option should they enable?

25

An organization wants to prevent data exfiltration from a Google Cloud project by restricting the copying of data from Cloud Storage to external IPs. Which Google Cloud service should they use?

26

A company uses BigQuery to store analytics data. They need to restrict access to specific rows based on the user's department. What should they implement?

27

A financial institution uses Cloud KMS to manage encryption keys. They want to ensure that key material is never exported from the KMS service. Which key protection method should they use?

28

A healthcare organization stores Protected Health Information (PHI) in Cloud Storage. They need to de-identify data before sharing it with researchers. Which service should they use?

29

A company uses Cloud SQL for MySQL with automated backups. They want to ensure that backup data is encrypted with a key that they manage and rotate on a schedule, separate from the primary database encryption. What should they do?

30

An organization uses BigQuery with column-level security. They have a column containing social security numbers (SSNs) that should only be visible to users with the 'PII_Viewer' role. How should they configure this?

31

A company uses Cloud Storage with CMEK. The Cloud KMS key is disabled accidentally by an administrator. What will happen to existing objects encrypted with that key?

32

A security engineer is designing data protection for Cloud Storage. Which TWO methods can be used to enforce encryption at rest for objects? (Choose TWO.)

33

A company is implementing data loss prevention (DLP) for BigQuery. Which THREE capabilities are provided by Cloud DLP? (Choose THREE.)

34

An organization wants to ensure that only compute instances in a specific VPC can access a Cloud Storage bucket. They also want to prevent the bucket data from being downloaded to an external IP. Which TWO services should they combine? (Choose TWO.)

35

Refer to the exhibit. A security engineer runs the following command to check encryption settings on a Cloud Storage bucket. What does the output indicate about encryption?

36

Refer to the exhibit. A security engineer runs the following IAM policy command for a Cloud Storage bucket. What access does the bindings grant?

37

Refer to the exhibit. A security administrator is troubleshooting why a user cannot access a BigQuery dataset. The user analyst@example.com is not a member of data-team@example.com. The user is trying to query a table in the dataset. What is the most likely reason for the denial?

38

A financial institution wants to encrypt data in Cloud Storage using keys that they rotate monthly through Cloud KMS. Which key management option should they use?

39

A multinational corporation is required to protect sensitive data in BigQuery using column-level encryption. They want to use a customer-managed key stored in Cloud KMS. What is the correct approach?

40

A company uses Cloud SQL for PostgreSQL with CMEK. They need to ensure that the Cloud SQL instance can only be accessed by authorized compute resources that have the correct IAM permissions to decrypt the data. What additional configuration is required to enforce access control?

41

A developer accidentally committed a file containing a service account key to a public GitHub repository. Which action should be taken immediately to invalidate the compromised key?

42

You want to encrypt data in Google Cloud Storage using a key that is managed and stored in a third-party key management system outside of Google Cloud. Which feature should you use?

43

A company uses Cloud KMS to protect encryption keys for various applications. They need to ensure that keys are automatically rotated every 90 days and that the rotation does not require re-encrypting all data. Which key type and rotation strategy should they use?

44

An organization uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically remove credit card numbers before the data is accessed by analysts but still allow the raw data for auditing purposes. Which DLP technique should they use?

45

A company is deploying a microservices architecture on Google Kubernetes Engine (GKE). They need to securely store and access database credentials, API keys, and other secrets. They want to avoid storing secrets in plaintext in the container image or Kubernetes manifests. Which solution should they use?

46

A healthcare organization is designing a data pipeline that ingests patient health records into Cloud Storage, then processes them with Dataflow for analytics. They must ensure that data is encrypted at rest and in transit, and that only authorized users can access the raw data. They also need to guarantee that the encryption keys are stored outside of Google Cloud. Which solution meets all requirements?

47

Which two Cloud Storage encryption options allow the customer to supply or manage the encryption keys? (Choose two.)

48

Which three actions help protect Cloud KMS key material? (Choose three.)

49

Which two best practices for managing secrets in Secret Manager? (Choose two.)

50

Refer to the exhibit. A security engineer has created this IAM policy for a Cloud KMS key. The service account my-sa is used by a Compute Engine VM to encrypt data before storing it in Cloud Storage. User alice needs to decrypt the data for analysis. Which statement is true?

51

Refer to the exhibit. Based on the exhibit, the corporate security policy requires that all Cloud KMS symmetric keys have automatic rotation enabled. Which statement is true?

52

Refer to the exhibit. A security engineer needs to ensure that all objects uploaded to the bucket are automatically encrypted with the specified KMS key. They also need to preserve older versions of objects. Which statement accurately describes the bucket configuration?

53

A company wants to ensure that all data stored in Cloud Storage buckets is encrypted with a customer-managed key (CMEK) that is managed in Cloud KMS. The security team requires that only authorized applications can access the key. Which configuration step should be taken to achieve this?

54

A company uses Cloud Data Loss Prevention (DLP) to inspect sensitive data in Cloud Storage. They want to automatically redact credit card numbers found in text files before the files are accessed by downstream applications. Which DLP method should be used?

55

A multinational organization must store customer data only in specific geographic regions to comply with data residency regulations. They use Cloud Spanner for their primary database. What should they do to enforce that data is stored only in approved regions?

56

A security engineer needs to encrypt data at rest in Cloud Storage using a key that is not managed by Google Cloud. The key must be stored on-premises and provided with each API call for data access. Which encryption approach should be used?

57

A company uses VPC Service Controls to protect data in BigQuery and Cloud Storage. They need to allow a third-party application running outside the service perimeter to query BigQuery datasets within the perimeter. What should they configure?

58

A financial institution uses Cloud HSM to protect cryptographic keys used for signing sensitive transactions. They want to ensure that keys are never exportable and that key usage is logged. Which key type should they create in Cloud HSM?

59

An organization uses Cloud DLP to scan a Cloud SQL database for PII. They want to automatically pseudonymize email addresses found in a specific column using a deterministic encryption that can be reversed for authorized users. The key must be stored in Cloud KMS. Which DLP transformation should they configure?

60

A security team has a Cloud KMS key used for encrypting Cloud Storage objects. They need to ensure that when the key is rotated, old data remains decryptable without manual re-encryption. They also want to minimize the number of key versions. Which approach should they take?

61

A company needs to meet a regulatory requirement that cryptographic keys for data at rest in Google Cloud must be managed in an on-premises HSM and never leave the HSM. Google Cloud services should be able to use those keys for encryption/decryption. Which solution should they implement?

62

Which TWO of the following are valid methods to protect data in transit between on-premises and Google Cloud using Cloud VPN?

63

Which THREE of the following are best practices for using Cloud DLP to protect sensitive data in BigQuery?

64

A company is implementing confidential VMs with Shielded VM and data encryption. Which two actions must be taken to ensure data protection for confidential compute workloads?

65

Refer to the exhibit. A security engineer sees this configuration for a Cloud Storage bucket. What does this indicate about the encryption of objects in this bucket?

66

Refer to the exhibit. A security engineer is reviewing a Cloud KMS key. What can be concluded about this key?

67

Refer to the exhibit. An auditor notices this log entry. Which of the following is true about this event?

68

A company wants to ensure that all data stored in Cloud Storage buckets is encrypted at rest using a customer-managed key that is automatically rotated every 90 days. What should they do?

69

A multinational organization must ensure that data for European users is stored only within the European Union to comply with GDPR. They use Cloud Storage and BigQuery. Which design should they implement?

70

A security engineer needs to configure Cloud KMS key rotation so that existing ciphertext can still be decrypted with old key versions, but new encryption uses the latest version. Which key management practice meets this requirement?

71

A retail company hosts an e-commerce website on Compute Engine behind an HTTPS load balancer. They want to encrypt traffic between the load balancer and backend instances. What should they do?

72

A healthcare organization ingests patient data into Cloud Storage and then processes it with Dataflow. They need to de-identify sensitive fields like Social Security numbers before storing in BigQuery. Which approach should they use?

73

A financial services company wants to ensure that Google Cloud staff cannot access their encryption keys or the plaintext data. They must meet regulatory requirements for data sovereignty. Which combination of services should they use?

74

A small business stores backup archives in Cloud Storage and wants to encrypt them at rest using a key that is automatically rotated annually. They do not want to manage key material themselves. Which encryption option should they use?

75

A company uses Cloud Functions to process employee data and wants to ensure that personally identifiable information (PII) is redacted from log output. Which approach should they take?

76

A company must comply with PCI DSS requirements that mandate the use of a hardware security module (HSM) for key storage. They plan to use Cloud KMS for key management. Which implementation meets compliance?

77

Which TWO options are required to use Cloud DLP to successfully inspect data in a Cloud Storage bucket?

78

Which THREE are best practices for managing encryption keys in Google Cloud?

79

Which THREE Google Cloud services can encrypt data at rest?

80

Refer to the exhibit. The security team created this key for encrypting database backups. After an audit, they found that data encrypted before May 1, 2023, cannot be decrypted. What is the most likely cause?

81

A global e-commerce company uses Google Cloud to host its platform. They store customer payment data in Cloud SQL and use Cloud Storage for backups. Currently, they rely on Google-managed encryption keys. A new compliance requirement mandates that all encryption keys must be stored in a hardware security module (HSM) and rotated every 30 days. Additionally, they need to retain backup data for 7 years, during which the keys used to encrypt the backups must be available for decryption. They have created a Cloud HSM key ring and a key with a rotation period of 2592000 seconds (30 days). After configuring Cloud SQL and Cloud Storage to use the Cloud HSM key, they notice that backups older than 30 days cannot be decrypted. The company's security engineer verified that the key versions are still present. What is the most likely cause and how should it be resolved?

82

A healthcare startup is building a data pipeline on Google Cloud. They receive patient data via a REST API running on Cloud Run. The data includes sensitive health information that must be de-identified before being stored in BigQuery. They plan to use Cloud DLP to inspect and transform the data. However, due to latency requirements, they need to de-identify the data within 5 seconds of receiving the request. They have set up a Cloud DLP job to inspect the data synchronously using the DLP API. During testing, they notice that the de-identification sometimes takes over 10 seconds, causing API timeouts. They want to reduce the latency without compromising security. What should they do?

83

A financial services company uses Cloud Storage to store sensitive customer data. They want to encrypt this data at rest using customer-managed encryption keys (CMEK) and automate key rotation every 90 days. Which approach should they take?

84

A healthcare organization needs to redact Social Security Numbers (SSNs) from patient records stored in Cloud Storage before sharing them with a research partner. They plan to use Cloud DLP. Which TWO actions should they take to configure the DLP job correctly? (Choose two.)

85

A large enterprise runs analytics workloads on BigQuery containing sensitive financial data. They have implemented VPC Service Controls (VPC SC) to create a perimeter around the BigQuery dataset, allowing access only from a specific VPC network. Despite this, security auditors discovered that data was accessed from an IP address outside the perimeter. After investigation, they found the access originated from a user's personal laptop using the Google Cloud Console. The company's security policy requires that sensitive data can only be accessed from corporate-managed devices. What should they do to prevent this type of access?

86

A company runs a containerized application on Google Kubernetes Engine (GKE) that reads from a Cloud Storage bucket encrypted with a customer-managed key (CMEK) in Cloud KMS. The application uses a dedicated Google service account with the roles/storage.objectViewer role and a Cloud KMS CryptoKey Decrypter binding on the key. After a scheduled key rotation, the application started receiving '403 Access Denied' errors when accessing objects. The Cloud KMS key has multiple versions. The service account's IAM permissions have not changed. What is the most likely cause and the appropriate fix?

87

A large enterprise is using Cloud Data Loss Prevention (DLP) to inspect a Cloud Storage bucket containing millions of files for sensitive data like credit card numbers and health information. The DLP inspection job is configured to scan the entire bucket with a schedule. Recently, the job has been failing with a 'Quota exceeded' error for the DLP inspect requests quota. The team needs to continue inspecting all files without increasing the quota limit, as the quota increase request would take weeks. They cannot skip any files due to compliance requirements. What should they do to work around the quota limit while inspecting all files?

88

A development team uses Cloud Secret Manager to store database credentials for an application running on Compute Engine. The application reads the secret using the Secret Manager API. After the team rotates the secret by adding a new version and setting it as the latest, the application continues to use the old secret version and fails to authenticate. The application is configured to fetch the secret with version 'latest' at startup. The team checks that the Compute Engine service account has the roles/secretmanager.secretAccessor role on the secret. What is the most likely cause of the issue?

89

A company runs a Cloud SQL for PostgreSQL instance that stores customer data. They must encrypt the database at rest using customer-managed encryption keys (CMEK) to meet regulatory requirements. The instance is currently using Google-managed encryption. What must they do to implement CMEK? The company wants to minimize downtime and avoid data loss.

90

Alice has the role roles/storage.objectAdmin on the bucket my-bucket via the IAM policy shown. She is unable to access the object gs://my-bucket/reports/data.csv. What is the most likely reason?

91

A company wants to encrypt data at rest in Cloud SQL. Which TWO methods are supported? (Choose TWO.)

92

A company operates a hybrid cloud environment with on-premises data centers and Google Cloud Platform. They store sensitive customer data in Cloud Storage buckets and use Data Loss Prevention (DLP) to scan for and inspect sensitive content. They have automated DLP inspection jobs that run periodically, but they want to automatically redact sensitive data (e.g., Social Security numbers) in any new object as soon as it is written to a specific bucket. The redacted version should replace the original object in the same bucket. Which of the following is the most effective and recommended approach?

Practice all 92 Ensuring data protection questions

Other PCSE exam domains

Configuring network securityConfiguring access within a cloud solution environmentManaging operations in a cloud solution environmentSupporting compliance requirements

Frequently asked questions

What does the Ensuring data protection domain cover on the PCSE exam?

The Ensuring data protection domain covers the key concepts tested in this area of the PCSE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCSE domains — no account required.

How many Ensuring data protection questions are in the PCSE question bank?

The Courseiva PCSE question bank contains 92 questions in the Ensuring data protection domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Ensuring data protection for PCSE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Ensuring data protection questions for PCSE?

Yes — the session launcher on this page draws questions exclusively from the Ensuring data protection domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your PCSE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

PCAACESCS-C02