Practice PCSE Ensuring Data Protection questions with full explanations on every answer.
Start practicing
Ensuring Data Protection — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security engineer needs to ensure that all customer data stored in Cloud Storage is encrypted at rest using keys that the organization manages and rotates themselves. Which encryption option should they use?
2A company uses Cloud KMS with a key purpose of ENCRYPT_DECRYPT. They need to rotate the key automatically every 30 days. What must they configure?
3Which Google Cloud service provides near-real-time logs when Google administrators access your customer content?
4A company stores API keys in Secret Manager. They want to automatically rotate the secret every 60 days and have a Cloud Function triggered after each rotation to update dependent services. What is the correct approach?
5A company has a Cloud Storage bucket containing CSV files with sensitive data. They want to use Cloud DLP to scan the files for personally identifiable information (PII) and automatically redact (replace) any detected credit card numbers before the data is used by downstream analytics. What type of job should they create?
6An organization needs to enforce that all new Cloud Storage buckets are created only in the europe-west1 region to meet data residency requirements. Which method should they use?
7A financial services company uses BigQuery for analytics and needs to implement column-level security such that users with the role 'data_scientist' can see the last four digits of credit card numbers, while the full number is visible only to 'data_owner'. What approach should they use?
8A company wants to use Cloud KMS with a key that is protected by a Hardware Security Module (HSM) and meets FIPS 140-2 Level 3. Which key type should they create in Cloud KMS?
9What is the purpose of the Cloud DLP InfoType detector CREDIT_CARD_NUMBER?
10A company uses Customer-Supplied Encryption Keys (CSEK) for Compute Engine persistent disks. They want to ensure that Google does not store the key material. What must they do?
11An engineer needs to destroy a Cloud KMS key immediately due to a security incident. They disable the key and then schedule destruction. What is the default waiting period before the key is permanently destroyed?
12A company uses Assured Workloads to meet FedRAMP High compliance in the US. They need to ensure that data cannot be moved outside the US region. Which control should they use?
13A security engineer wants to ensure that sensitive data in BigQuery is masked for analysts but visible in full to data stewards. Which two components must be used together? (Choose TWO.)
14A company wants to implement automatic de-identification of sensitive data stored in Cloud Storage using Cloud DLP. They need to scan new objects as they are uploaded and apply a transformation to remove credit card numbers. Which three resources must they create? (Choose THREE.)
15Which two statements correctly describe Cloud KMS key versions? (Choose TWO.)
16An organization wants to encrypt data at rest using customer-managed keys on Compute Engine persistent disks. They need to provide the key material with each API call, and Google should never store the key. Which encryption approach should they use?
17A security engineer wants to automatically rotate a database password stored in Secret Manager every 30 days. The new password should be generated and stored in Secret Manager without manual intervention. Which approach meets these requirements?
18A healthcare company stores patient data in BigQuery and needs to mask sensitive columns like SSN and email for analysts who do not need to see the actual values. They want to apply consistent masking across queries without modifying the underlying data. Which feature should they use?
19A company uses Cloud KMS with an HSM key for encryption of sensitive data. The compliance team requires that the key material never leaves the HSM boundary. They plan to use the key for symmetric encryption/decryption. Which key purpose should they specify when creating the key?
20A data engineer needs to scan a Cloud Storage bucket for personally identifiable information (PII) such as credit card numbers and social security numbers. The scanning must be performed on a schedule (every week). Which GCP service and resource should they use?
21A financial institution is required to store customer transaction data within the European Union to comply with GDPR data residency requirements. They want to prevent users from creating resources in any region outside the EU. Which organization policy constraint should they use?
22A company uses Cloud KMS with automatic rotation enabled for a symmetric key. The rotation period is set to 90 days. After 90 days, a new key version is created. The compliance team asks: what happens to data encrypted with the old key version?
23A security administrator wants to receive near-real-time logs whenever a Google Cloud support engineer accesses their customer content. Which GCP service provides this capability?
24A company uses Cloud DLP to de-identify a dataset containing customer phone numbers. They need to replace each phone number with a consistently masked value that preserves the format (e.g., XXX-XXX-1234) but cannot be reversed. Which de-identification transform should they use?
25An organization wants to use a FIPS 140-2 Level 3 validated hardware security module (HSM) to protect encryption keys in Cloud KMS. Which key protection level should they choose when creating a key ring?
26A security engineer accidentally deleted a Cloud KMS key version. The key version is in the state DESTROY_SCHEDULED. How long does the engineer have to cancel the destruction before the key material is permanently destroyed?
27A data scientist needs to access a secret stored in Secret Manager from a Compute Engine VM. The VM has the default service account attached. Which IAM role should be granted to the service account to allow reading the secret?
28A company needs to enforce that all data stored in Cloud Storage and BigQuery is encrypted with customer-managed keys (CMEK). Which TWO actions should they take? (Choose two.)
29A company uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically de-identify the data before loading it into another BigQuery dataset for analysis. Which THREE components must be configured? (Choose three.)
30A company needs to meet the EU data boundary requirements for Assured Workloads, ensuring that data processing and storage remain within the European Union. Which TWO configurations are required? (Choose two.)
31A company wants to encrypt data at rest in Cloud Storage using a key that they manage and rotate periodically. They also need to ensure that the key material is stored in a FIPS 140-2 Level 3 validated HSM. Which encryption option should they use?
32A security engineer needs to store database credentials and API keys securely in GCP. The solution must support automatic rotation of secrets at a defined schedule and trigger a Cloud Function after each rotation to update dependent applications. Which service should they use?
33A company uses Cloud DLP to scan a BigQuery table containing customer data. They want to de-identify credit card numbers so that the first 12 digits are masked with 'X' and the last 4 digits remain visible. Which de-identification transform should they use?
34A security engineer needs to enforce that all new Compute Engine disks are created in a specific geographic region to meet data residency requirements. Which organization policy constraint should they use?
35A company uses Cloud KMS with a key purpose of ENCRYPT_DECRYPT. They want to rotate the key automatically every 90 days. What must the security engineer configure to achieve this?
36A company uses CMEK with Cloud HSM to encrypt a BigQuery table. The security engineer accidentally deleted the key in Cloud KMS. The key is now in a 'pending destruction' state with a grace period of 24 hours. Which action should the engineer take to restore the key and avoid data loss?
37A security engineer needs to ensure that sensitive columns in BigQuery are automatically masked for certain users. For example, the email column should show only the domain for users with a specific role. Which two services must be configured together?
38A company needs to store sensitive API keys in Secret Manager and ensure that only a specific service account can access the latest version of a secret. Which IAM permission is required for the service account to read the secret value?
39A company wants to use Cloud DLP to inspect Cloud Storage buckets for phone numbers that match a custom pattern (e.g., +1-XXX-XXX-XXXX). The pattern is not covered by built-in infoTypes. How should the engineer configure the DLP job?
40A security engineer needs to view logs of Google Cloud support engineers accessing their data to meet compliance requirements. Which GCP feature should they enable?
41A company wants to enforce that all BigQuery datasets are created in the 'US' multi-region to comply with data residency policies. Which organization policy constraint can achieve this?
42A company uses Customer-Supplied Encryption Keys (CSEK) for Compute Engine persistent disks. They want to rotate the key used for an existing disk without recreating the disk. What must the engineer do?
43A security engineer needs to implement de-identification of sensitive data in a Cloud Storage bucket using Cloud DLP. They want to inspect the data for credit card numbers and then replace them with a tokenized value that preserves the format for downstream processing. Which TWO actions should they take? (Choose two.)
44A company must comply with regulatory requirements that restrict data access by Google Cloud support and engineering staff. They need to log all Google admin access to their data and also require explicit approval before access is granted. Which TWO features should they combine? (Choose two.)
45A company wants to use Cloud KMS to encrypt data in Cloud Storage with a key that is automatically rotated every 30 days. They also want to ensure that the key material is stored in a HSM. Which TWO resources must they create? (Choose two.)
46A security engineer wants to encrypt data at rest in Cloud Storage using a key that Google manages but the customer can control the key material. They need to rotate the key automatically every 90 days. Which encryption option should they choose?
47An organization needs to store API keys and database credentials in a central, auditable service with versioning and IAM access control. Which GCP service should they use?
48A company uses Cloud DLP to scan a BigQuery table for sensitive data. They want to automatically mask credit card numbers in query results for users who are not data stewards. Which approach should they use?
49A financial institution must store data in specific EU regions to comply with GDPR. They want to prevent users from creating resources in other regions. Which organization policy should they set?
50A security engineer needs to audit all administrative actions performed by Google support engineers on their GCP project. Which service provides near-real-time logs of such access?
51Which Cloud KMS key purpose should be used to encrypt and decrypt data directly?
52An engineer needs to schedule automatic rotation of a symmetric key in Cloud KMS every 30 days. The key is currently enabled. What should they do?
53A company uses Cloud HSM to protect their cryptographic keys. They need to ensure that the key material never leaves the HSM. Which key purpose is supported by Cloud HSM keys?
54A data engineer wants to use Cloud DLP to scan a Cloud Storage bucket for personally identifiable information (PII). Which resource should they create to run this scan?
55An organization needs to de-identify a BigQuery column containing US Social Security Numbers (SSNs) by replacing them with a consistent token that can be reversed if needed. Which Cloud DLP de-identification transform should they use?
56A security team wants to automatically rotate a database password stored in Secret Manager every 60 days and notify the operations team when a new version is created. Which approach should they use?
57What is the default grace period before Cloud KMS permanently destroys a key version that has been scheduled for destruction?
58A company is subject to ITAR regulations and needs to ensure that all data stored in GCP remains within the United States. They also require FIPS 140-2 Level 3 validation for encryption keys. Which two services should they use together to meet these requirements? (Choose 2)
59A security engineer needs to enforce column-level masking on a BigQuery table such that: (1) users with role 'data_analyst' see masked values, (2) users with role 'data_scientist' see plaintext values, and (3) the masking is applied automatically without modifying the underlying table. Which three components must they configure? (Choose 3)
60An organization stores sensitive data in Cloud Storage and wants to use Cloud DLP to automatically scan new objects for PII as they are uploaded. Which two resources are needed? (Choose 2)
61An organization wants to ensure that all new resources created in Google Cloud are restricted to a specific set of regions to meet data residency requirements. Which policy should they use?
62A security engineer needs to automatically rotate a database password stored in Secret Manager every 60 days. Which approach meets this requirement with minimal operational overhead?
63A financial services company must encrypt data at rest in Cloud Storage using keys that are generated and stored on-premises, and Google must never have access to the key material. Which encryption approach should they use?
64A company is using Cloud DLP to inspect a BigQuery table containing customer PII. They want to redact all credit card numbers found in a column by replacing them with a token that preserves the format (e.g., last 4 digits visible). Which de-identification transform should they use?
65An organization needs to store API keys for external services. Which Google Cloud service is designed for secure storage of secrets such as API keys, passwords, and certificates?
66A company wants to enforce that all Compute Engine disk encryption uses keys managed by their own HSM on-premises, with keys provided per API call. Which encryption type should they choose when creating a persistent disk?
67A security engineer notices that a Cloud KMS key was accidentally deleted. The key had a pending destruction period of 24 hours. What is the maximum time window to recover the key after the deletion request?
68An organization needs to audit when Google administrators access their customer content stored in GCP. Which service provides near-real-time logs of such access?
69A data engineer wants to classify columns in BigQuery containing sensitive data like email addresses and apply data masking so that users see only masked values (e.g., 'j***@example.com'). Which feature should they use?
70A company using Cloud KMS wants to automatically rotate a symmetric encryption key every 90 days. What is the correct way to configure this?
71A healthcare organization uses Cloud DLP to scan a Cloud Storage bucket containing medical records. They want to inspect for sensitive data such as patient names and SSNs, but only on new objects added after a certain date. Which DLP configuration should they use?
72An organization needs to store cryptographic keys that must be protected in a FIPS 140-2 Level 3 validated hardware security module (HSM). Which Google Cloud service should they use?
73A company needs to enforce data residency in the European Union for all GCP resources. Which TWO actions should they take? (Choose two.)
74A security team wants to ensure that a Cloud KMS key is rotated automatically every 30 days and that previous key versions are available for decryption for at least 6 months. Which THREE steps should they take? (Choose three.)
75A company wants to use Cloud DLP to de-identify sensitive data in a BigQuery table. They need to replace credit card numbers with a token that preserves the format and also mask email addresses by showing only the first character. Which TWO de-identification transforms should they use? (Choose two.)
76A security engineer needs to ensure that all customer data stored in Cloud Storage is encrypted using keys that they manage and rotate on a schedule they control. The keys must be stored in a FIPS 140-2 Level 3 validated HSM. Which encryption approach should they use?
77A company uses BigQuery to store sensitive customer data. They want to restrict access to certain columns (e.g., email and SSN) so that only authorized users see the actual values, while other users see a masked version. Which approach should they use?
78An organization needs to store API keys and database credentials in a secure, centralized service that supports automatic rotation and integrates with Cloud Functions. The solution must provide fine-grained access control at the secret version level. Which service should they use?
79A healthcare organization must ensure that Protected Health Information (PHI) stored in Cloud Storage buckets is not inadvertently shared. They want to automatically scan all new objects added to the bucket for sensitive data and log findings. Which approach should they use?
80A company wants to enforce that all new Cloud Storage buckets are created in only the europe-west1 region. Which organization policy constraint should they use?
81What is the purpose of Cloud HSM?
82A security engineer wants to enable Access Transparency for their organization. After enabling it in the Admin Console, they notice that some access logs are missing. What is the most likely reason?
83An engineer needs to configure automatic key rotation for a symmetric encryption key in Cloud KMS. They have set the rotation period to 90 days. What happens to the old key material after rotation?
84Which Cloud DLP transform should be used to replace sensitive data with a token that preserves the format and length of the original data for reversible de-identification?
85After deleting a Cloud KMS key version, an engineer receives an error when trying to decrypt data that was encrypted with that key version. The key version was deleted 12 hours ago. What is the most likely cause?
86A company uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically de-identify the data as it is inserted into a new table using a DLP de-identification template. Which approach should they use?
87An organization needs to comply with ITAR regulations. They want to ensure that all data processed by their GCP resources remains within the United States. Which service should they use?
88A company wants to automatically rotate secrets stored in Secret Manager every 30 days. They have set up a Pub/Sub topic and a Cloud Function to perform the rotation. Which TWO actions are required to complete the configuration? (Choose two.)
89A security engineer is designing a data residency strategy for a healthcare organization that must keep all data within the European Union. They plan to use Assured Workloads to meet this requirement. Which THREE additional controls should they implement to further enforce data residency and protect data? (Choose three.)
90A company is using Cloud KMS with software keys for encryption. They want to increase security by using an HSM backend without changing their existing key rings or key names. Which TWO steps should they take? (Choose two.)
91A security engineer needs to ensure that all data stored in Cloud Storage buckets and BigQuery tables is encrypted at rest using keys that the organization generates and manages on-premises. The keys must not be stored by Google. Which key management approach should they use?
92A company uses Cloud KMS to manage encryption keys for data at rest. They want to automatically rotate a symmetric key every 90 days. The key is used to encrypt Cloud Storage objects and BigQuery tables. What is the correct approach to achieve automatic rotation?
93An organization stores sensitive customer data in BigQuery tables. They need to enforce column-level security such that users in the 'support' group see a masked version of email addresses (e.g., j***@example.com), while managers see the full email. Which approach should they use?
94A company must store API keys and database credentials securely in Google Cloud. They need automatic rotation of these secrets every 30 days, with notifications sent to a security team after each rotation. Which services should they use? (Choose TWO).
95A company is deploying a multi-region application that must store data only within the European Union to comply with GDPR data residency requirements. They also need to ensure that Google Cloud administrators cannot access customer content. Which two controls should they implement? (Choose TWO).
96A company uses Cloud DLP to inspect data in Cloud Storage and BigQuery for sensitive information such as credit card numbers and social security numbers. They want to de-identify the data using format-preserving encryption (FPE) so that the masked data retains the same format (e.g., a 16-digit number still looks like a credit card number). Which two configurations should they use? (Choose TWO).
97A company wants to use Cloud KMS to protect sensitive data. They have a requirement that the key material must be stored in a FIPS 140-2 Level 3 validated HSM. They also need to be able to create and use asymmetric keys for signing. Which two steps should they take? (Choose TWO).
98A company needs to detect and redact sensitive data such as email addresses and phone numbers from documents stored in Cloud Storage. They plan to use Cloud DLP. Which two resources must they create first? (Choose TWO).
99A company is designing a key destruction process for Cloud KMS. They need to ensure that after a key is destroyed, the ciphertext encrypted with that key becomes permanently undecryptable. They also need to allow a 7-day recovery window in case of accidental destruction. Which three steps should they take? (Choose THREE).
100A security team needs to monitor and log all Google Cloud administrator access to customer data stored in Cloud Storage and BigQuery. They want to receive near-real-time alerts when such access occurs. Which two services should they use together? (Choose TWO).
The Ensuring Data Protection domain covers the key concepts tested in this area of the PCSE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCSE domains — no account required.
The Courseiva PCSE question bank contains 100 questions in the Ensuring Data Protection domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Ensuring Data Protection domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included