Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Supporting compliance requirements practice sets

PCSE Supporting compliance requirements • Complete Question Bank

PCSE Supporting compliance requirements — All Questions With Answers

Complete PCSE Supporting compliance requirements question bank — all 0 questions with answers and detailed explanations.

108
Questions
Free
No signup
Certifications/PCSE/Practice Test/Supporting compliance requirements/All Questions
Question 1easymultiple choice
Read the full Supporting compliance requirements explanation →

A company needs to retain audit logs for 7 years to meet regulatory compliance. They are using Cloud Logging. Which log storage strategy should they use to minimize costs while meeting the requirement?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization must ensure that only authorized personnel can access Protected Health Information (PHI) stored in Cloud Storage. They need to enforce encryption at rest and control access based on data classification. Which combination of Google Cloud services should they use?

Question 3hardmultiple choice
Read the full Supporting compliance requirements explanation →

A financial services company is deploying a multi-region application on Google Kubernetes Engine (GKE) and needs to comply with PCI DSS. They must ensure that cardholder data is encrypted in transit between pods in different clusters. What is the MOST secure way to achieve this?

Question 4easymultiple choice
Read the full Supporting compliance requirements explanation →

A company must implement data residency requirements that prohibit storing data outside the European Union. They are using Cloud Bigtable and need to ensure that backups are also stored within the EU. Which configuration should they choose?

Question 5mediummulti select
Read the full Supporting compliance requirements explanation →

A company is migrating to Google Cloud and needs to comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to use Cloud SQL for MySQL and Cloud Storage. Which TWO actions must they take to ensure HIPAA compliance?

Question 6hardmulti select
Read the full Supporting compliance requirements explanation →

A company needs to comply with the General Data Protection Regulation (GDPR). They are using BigQuery to store personal data. Which THREE measures should they implement to meet GDPR requirements?

Question 7mediummultiple choice
Read the full Supporting compliance requirements explanation →

Your company, a global e-commerce platform, must comply with the PCI DSS requirement to secure cardholder data. You have a multi-cloud environment with workloads on Google Cloud and AWS. The Google Cloud environment consists of Compute Engine instances that process credit card transactions, and a Cloud SQL for MySQL database that stores encrypted cardholder data. The security team requires that only specific service accounts can connect to the database, and all connections must be encrypted. Additionally, you need to ensure that the database is not publicly accessible and that all access is logged. You have configured the Cloud SQL instance with a private IP and enabled SSL/TLS. However, a recent audit revealed that a Compute Engine instance with a public IP and no service account was able to connect to the database and execute queries. The instance was not authorized in the Cloud SQL authorized networks. What is the most likely cause of this security gap, and what should you do to prevent it?

Question 8mediummultiple choice
Read the full Supporting compliance requirements explanation →

A financial services company must ensure that all data stored in Cloud Storage is encrypted with customer-managed encryption keys (CMEK) that are rotated every 90 days. They have enabled Organization Policy constraints to enforce CMEK. However, some new buckets are still being created without CMEK. What is the most likely cause?

Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization uses BigQuery to store patient data with column-level encryption using CMEK. They need to ensure that data is encrypted at rest and in transit, and that only authorized users can query specific columns. Which combination of controls should they use?

Question 10easymultiple choice
Read the full Supporting compliance requirements explanation →

A company wants to use Cloud Armor to block traffic from specific countries to comply with data sovereignty requirements. They have a global HTTP Load Balancer configured. Where should they configure the Cloud Armor policy?

Question 11hardmultiple choice
Read the full Supporting compliance requirements explanation →

A Cloud Run service is failing to access a secret from Secret Manager. The service account used by Cloud Run has the roles/secretmanager.secretAccessor role. What is the most likely cause of the error?

Exhibit

Refer to the exhibit.

Error log from a Cloud Run service:
```
{
  "severity": "ERROR",
  "message": "Failed to access Secret Manager secret 'projects/my-project/secrets/my-api-key/versions/latest'.",
  "service": "my-service",
  "reason": "Permission denied on resource 'projects/my-project/secrets/my-api-key/versions/latest'"
}
```
Question 12easymultiple choice
Read the full Supporting compliance requirements explanation →

A company must ensure that all Compute Engine instances use only approved images from a specific project. They want to enforce this using Organization Policy. Which constraint should they use?

Question 13mediummulti select
Read the full Supporting compliance requirements explanation →

A company wants to audit all changes to IAM policies in their organization. They need to set up logging to capture these changes. Which TWO steps should they take? (Choose TWO.)

Question 14hardmulti select
Read the full Supporting compliance requirements explanation →

A company is implementing a data retention policy for Cloud Storage buckets. They need to ensure that objects cannot be deleted before a specified retention period. Which THREE features can they use? (Choose THREE.)

Question 15mediummultiple choice
Read the full Supporting compliance requirements explanation →

A security engineer is using Cloud Asset Inventory to find all Compute Engine instances that are not labeled with a 'compliance' label. Based on the exhibit, which instance(s) are missing the compliance label?

Network Topology
$ gcloud asset search-all-resourcesscope=organizations/123456789012asset-types='compute.googleapis.com/Instance'Refer to the exhibit.Output from gcloud command:```name: //compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/instance-1assetType: compute.googleapis.com/Instanceproject: projects/123456789012ancestors: ["organizations/123456789012", "folders/456", "projects/123456789012"]labels:env: productioncompliance: hipaaname: //compute.googleapis.com/projects/other-project/zones/us-central1-a/instances/instance-2project: projects/987654321098ancestors: ["organizations/123456789012", "folders/789", "projects/987654321098"]env: dev
Question 16hardmultiple choice
Read the full Supporting compliance requirements explanation →

A company uses Cloud SQL for MySQL and needs to automate the rotation of database user passwords every 30 days. They want to store the passwords in Secret Manager and have the application retrieve them at runtime. The application runs on Compute Engine. What is the most secure way to allow the Compute Engine instances to access the secrets?

Question 17mediummultiple choice
Read the full Supporting compliance requirements explanation →

A financial services company must store customer transaction records for 7 years to comply with SEC regulations. They currently use Cloud Storage with a lifecycle rule that deletes objects after 365 days. The compliance team needs to ensure that records are immutable and cannot be deleted or modified before the retention period expires. What should the security engineer do?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is migrating sensitive patient data to Google Cloud and must comply with HIPAA. They plan to use Cloud SQL for MySQL with CMEK for encryption at rest. The security team is concerned about key management and access logging. Which additional measure should be implemented to meet HIPAA audit requirements?

Question 19hardmulti select
Read the full Supporting compliance requirements explanation →

A global e-commerce company must comply with GDPR and CCPA. They use BigQuery to store customer data and need to ensure that when a user requests data deletion, all copies are deleted within 30 days. Additionally, they want to minimize storage costs. Which TWO actions should they take?

Question 20easymultiple choice
Review the full subnetting walkthrough →

A company has a single Google Cloud project with multiple VPC networks. They need to comply with PCI DSS requirement 1.3.2, which restricts inbound and outbound traffic to only what is necessary. They have a web application running on Compute Engine instances in a VPC with a public subnet and a private subnet. The web servers in the public subnet need to communicate with database servers in the private subnet. Currently, the security engineer has configured firewall rules to allow HTTP/HTTPS traffic from the internet to the web servers, and allow all traffic from the public subnet to the private subnet. The auditor flags that the rule allowing all traffic from the public subnet to the private subnet is too permissive. What should the security engineer do to meet the requirement while maintaining functionality?

Question 21hardmulti select
Read the full Supporting compliance requirements explanation →

A financial services company must ensure that its Google Cloud environment complies with PCI DSS. The security team needs to implement controls to protect cardholder data. Which TWO measures should they implement? (Choose TWO.)

Question 22mediummultiple choice
Read the full Supporting compliance requirements explanation →

Refer to the exhibit. A security engineer runs the gcloud command to analyze IAM policy for a user in an organization. The output shows that the user has the 'compute.instances.create' permission via a role at the organization level. However, the user is unable to create Compute Engine instances in a specific project. What is the most likely cause?

Network Topology
gcloud asset analyze-iam-policyproject=my-project \organization=123456789012 \resource='//cloudresourcemanager.googleapis.com/projects/123456789012' \identity='user:alice@example.com' \permissions='compute.instances.create'Refer to the exhibit.
Question 23easymultiple choice
Read the full Supporting compliance requirements explanation →

A healthcare organization is migrating applications to Google Cloud and must comply with HIPAA. They plan to store protected health information (PHI) in Cloud Storage and BigQuery. The security engineer needs to ensure that all access to PHI is logged and that the data is encrypted at rest with customer-managed keys. The organization also requires that any audit logs containing PHI are stored in a separate project with restricted access. Which course of action meets all requirements?

Question 24mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to configure a Cloud NAT for private VM instances in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 25mediumdrag order
Read the full Supporting compliance requirements explanation →

Drag and drop the steps to set up IAM conditions for a service account in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 26mediummatching
Read the full Supporting compliance requirements explanation →

Match each Cloud KMS key purpose to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encrypt and decrypt

Public key encrypt, private key decrypt

Private key signs, public key verifies

Periodically generate new key material

Bring your own key (BYOK) into Cloud KMS

Question 27mediummatching
Read the full Supporting compliance requirements explanation →

Match each compliance framework to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Payment card data security

Protected health information privacy and security

Service organization controls for security, availability, etc.

Cloud security for U.S. federal agencies

Information security management system standard

Question 28easymultiple choice
Read the full Supporting compliance requirements explanation →

A healthcare organization must store protected health information (PHI) in Google Cloud and ensure compliance with HIPAA. They need to prevent data from being stored outside the United States. Which Google Cloud product should they use to enforce this requirement?

Question 29mediummultiple choice
Read the full Supporting compliance requirements explanation →

A financial services company is required to retain audit logs for at least 7 years to comply with PCI-DSS. They have enabled Data Access audit logs for Cloud Audit Logs. However, after 6 months they notice that older logs are being automatically deleted. What is the most likely cause?

Question 30hardmultiple choice
Read the full NAT/PAT explanation →

A multi-national company needs to ensure that customer data stored in BigQuery is encrypted with customer-managed encryption keys (CMEK) and that the keys are rotated every 90 days. Additionally, the company must be able to audit all key usage. Which steps are required to implement this compliance requirement?

Question 31easymultiple choice
Read the full Supporting compliance requirements explanation →

A company is moving sensitive data to Google Cloud and must comply with GDPR data minimization principles. They want to ensure that only the minimum necessary data is collected and processed. Which Google Cloud service should they use to automatically identify and redact sensitive data before storage?

Question 32mediummultiple choice
Read the full Supporting compliance requirements explanation →

A government agency requires that all compute resources for a project are physically located in the United States (US) to comply with FedRAMP. The project contains Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. Which configuration ensures that all future resources are created in the US?

Question 33hardmultiple choice
Read the full Supporting compliance requirements explanation →

A company is undergoing a SOC 2 audit and needs to demonstrate that access to production data is monitored and that any changes to IAM policies are reviewed. They have enabled Cloud Audit Logs. The auditor asks for a report showing all IAM policy changes in the last 6 months. The security team notices that some older changes are missing. What is the most likely reason?

Question 34easymultiple choice
Read the full Supporting compliance requirements explanation →

A company needs to ensure that all data stored in Cloud Storage is encrypted using a key that is rotated every 30 days. Which encryption option should they choose to meet this requirement with automated rotation?

Question 35mediummultiple choice
Read the full Supporting compliance requirements explanation →

A company is deploying a multi-region application in Cloud Run and must comply with data residency requirements in the European Union (EU). They want to ensure that only EU-based Cloud Run instances are created. Which approach should they use?

Question 36hardmultiple choice
Read the full Supporting compliance requirements explanation →

A company is using Cloud SQL for MySQL to store customer data subject to SOX compliance. They need to ensure that all database changes are audited and that logs are immutable. They have enabled audit logs and exported them to a Cloud Storage bucket. However, the auditor discovers that some logs were deleted from the bucket. What is the most likely cause?

Question 37mediummulti select
Read the full Supporting compliance requirements explanation →

Which TWO actions should be taken to ensure that a Google Cloud environment meets PCI-DSS requirements for protecting cardholder data? (Choose two.)

Question 38hardmulti select
Read the full Supporting compliance requirements explanation →

Which THREE steps are necessary to ensure that a Google Cloud project complies with FedRAMP Moderate baseline requirements for access control? (Choose three.)

Question 39mediummulti select
Read the full Supporting compliance requirements explanation →

Which TWO configurations are required to use Customer-Managed Encryption Keys (CMEK) with Cloud Storage to meet a compliance requirement that keys must be rotated every 30 days? (Choose two.)

Question 40mediummultiple choice
Read the full Supporting compliance requirements explanation →

A healthcare organization is migrating to Google Cloud and needs to ensure that all data stored in Cloud Storage is encrypted at rest with customer-managed encryption keys (CMEK) to meet HIPAA requirements. The security team wants to centrally manage key rotation and access. Which solution should they implement?

Question 41hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation must comply with GDPR and requires that data stored in BigQuery is physically located in the European Union. They have set up BigQuery datasets in the EU region. However, a compliance audit reveals that some queries may process data in the US region due to BigQuery's multi-region behavior. What should the organization do to ensure data remains in the EU?

Question 42easymultiple choice
Read the full Supporting compliance requirements explanation →

A company is deploying a new application that will process credit card data and must comply with PCI DSS. They plan to use Google Cloud services. Which service should they use to detect and redact sensitive data stored in Cloud Storage buckets?

Question 43mediummultiple choice
Read the full Supporting compliance requirements explanation →

An organization uses Assured Workloads for Google Cloud to meet FedRAMP compliance. They have enabled Access Transparency logs. During an audit, they need to provide evidence that Google personnel access was logged and reviewed. What is the primary benefit of using Access Transparency?

Question 44hardmultiple choice
Read the full NAT/PAT explanation →

A company is migrating a legacy on-premises application to Google Compute Engine. The application requires a static IP address for compliance with a regulatory requirement that outbound connections to a partner's IP whitelist must originate from a known, fixed IP. The application will run in a managed instance group (MIG) for high availability. Which of the following solutions meets the compliance requirement?

Question 45mediummultiple choice
Read the full Supporting compliance requirements explanation →

A financial services company must retain audit logs for seven years to meet regulatory requirements. They are using Cloud Audit Logs. Which strategy should they implement to ensure logs are not deleted or modified during the retention period?

Question 46easymultiple choice
Read the full Supporting compliance requirements explanation →

An organization wants to enforce that all new Cloud Storage buckets are created with uniform bucket-level access enabled to simplify access control and meet compliance requirements. What Google Cloud service should they use to enforce this?

Question 47hardmultiple choice
Read the full Supporting compliance requirements explanation →

A government contractor uses Google Cloud with Assured Workloads. They need to ensure that data stored in BigQuery is encrypted with keys generated and stored in a Cloud HSM key ring located in a specific region. The keys must be rotated every 90 days. Which approach meets these requirements?

Question 48mediummultiple choice
Read the full Supporting compliance requirements explanation →

A retail company processes customer payment data and must comply with PCI DSS. They use Cloud SQL for database storage. They need to ensure that all database backups are encrypted at rest. What should they do?

Question 49hardmulti select
Read the full Supporting compliance requirements explanation →

A company needs to comply with GDPR and must implement data subject access request (DSAR) capabilities. Which TWO Google Cloud services should they use to locate and export personal data across various data stores?

Question 50mediummulti select
Read the full Supporting compliance requirements explanation →

A financial institution must meet SOX compliance requirements for audit trail integrity. Which THREE measures should they implement to ensure Cloud Audit Logs are immutable and securely stored?

Question 51easymulti select
Read the full Supporting compliance requirements explanation →

A company is deploying a new application that must comply with HIPAA. They are using Google Cloud services. Which TWO services are required to be enabled with appropriate configurations to support HIPAA compliance?

Question 52mediummultiple choice
Read the full Supporting compliance requirements explanation →

A security engineer notices that some developers are still uploading their own public SSH keys to Compute Engine instances despite the organization policy above being applied to the folder. What is the most likely reason?

Exhibit

Refer to the exhibit.

Exhibit: Contents of an organization policy constraint JSON applied to a folder:
```json
{
  "name": "organizations/123456789/policies/iam.disableServiceAccountKeyUpload",
  "spec": {
    "rules": [
      {
        "enforce": true
      }
    ]
  }
}
```
Question 53hardmultiple choice
Read the full Supporting compliance requirements explanation →

A compliance officer reviews the Cloud Audit Log entry above and wants to know if any sensitive data was exposed during the instance creation. What is the best course of action?

Exhibit

Refer to the exhibit.

Exhibit: Cloud Audit Log entry (partial):
```json
{
  "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "user@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.5",
      "callerSuppliedUserAgent": "gcloud/363.0.0"
    },
    "serviceName": "compute.googleapis.com",
    "methodName": "v1.compute.instances.insert",
    "resourceName": "projects/my-project/zones/us-central1-a/instances/new-instance",
    "response": {
      "insertId": "abc123"
    },
    "status": {}
  }
}
```
Question 54mediummultiple choice
Read the full Supporting compliance requirements explanation →

A security engineer runs the above query in BigQuery and finds a column containing Social Security Numbers (SSNs). They must ensure that all SSNs in the dataset are automatically encrypted at rest using customer-managed keys (CMEK) and also that future queries do not expose SSNs to users without decryption access. Which approach should they take?

Exhibit

Refer to the exhibit.

Exhibit: BigQuery query results:
```sql
SELECT
  column1,
  column2
FROM
  `my-project.my_dataset.my_table`
WHERE
  column1 LIKE '%ssn%'
```

Output: Returns one row with column1 = "SSN: 123-45-6789".
Question 55easymultiple choice
Read the full Supporting compliance requirements explanation →

A company needs to store PII in Google Cloud and comply with GDPR data residency requirements. What is the primary Google Cloud feature to enforce data residency?

Question 56easymultiple choice
Read the full Supporting compliance requirements explanation →

For HIPAA compliance, which Google Cloud product provides a business associate agreement (BAA) and a dedicated environment for protected health information?

Question 57easymultiple choice
Read the full Supporting compliance requirements explanation →

Which Google Cloud audit log captures administrator activity and is enabled by default?

Question 58mediummultiple choice
Read the full Supporting compliance requirements explanation →

A financial institution is required to use customer-managed encryption keys (CMEK) for all data at rest in Google Cloud. They need to prevent key deletion by anyone except a specific IAM role. What should they do?

Question 59mediummultiple choice
Read the full Supporting compliance requirements explanation →

A company uses Cloud Audit Logs for compliance. They want to capture all data access events to a Cloud Storage bucket containing sensitive data. What must they enable?

Question 60mediummultiple choice
Read the full Supporting compliance requirements explanation →

To comply with regulatory requirements, a company needs to prevent service account keys from being created for all projects. What should they use?

Question 61hardmultiple choice
Read the full Supporting compliance requirements explanation →

Which method ensures that Cloud Storage logs are encrypted with a key that is managed on-premises?

Question 62hardmultiple choice
Read the full Supporting compliance requirements explanation →

For PCI DSS compliance, which of the following is required for Cloud KMS keys?

Question 63hardmultiple choice
Read the full Supporting compliance requirements explanation →

A company uses VPC Service Controls to protect sensitive data. They notice that audit logs from a service perimeter are not being exported to a logging bucket inside the same perimeter. What is the likely cause?

Question 64easymulti select
Read the full Supporting compliance requirements explanation →

Which TWO actions help ensure compliance with data residency requirements in Google Cloud? (Choose two.)

Question 65mediummulti select
Read the full Supporting compliance requirements explanation →

Which THREE are requirements for HIPAA compliance when using Google Cloud? (Choose three.)

Question 66hardmulti select
Read the full Supporting compliance requirements explanation →

Which THREE are capabilities of Assured Workloads? (Choose three.)

Question 67mediummultiple choice
Read the full Supporting compliance requirements explanation →

Refer to the exhibit. A compliance auditor reviews the key configuration and finds a potential issue. What is the most likely compliance impact?

Exhibit

Refer to the exhibit.

```json
{
  "name": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key",
  "primary": {
    "state": "ENABLED",
    "createTime": "2024-01-01T00:00:00Z"
  },
  "purpose": "ENCRYPT_DECRYPT",
  "rotationPeriod": null,
  ...
}
```
Question 68hardmultiple choice
Read the full Supporting compliance requirements explanation →

Refer to the exhibit. A security engineer reviews this IAM policy. Which compliance requirement does this policy help satisfy?

Exhibit

Refer to the exhibit.

```json
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": ["user:alice@example.com"],
      "condition": {
        "title": "restrict_to_uk",
        "expression": "resource.location.type == 'region' && resource.location.startsWith('europe-west')"
      }
    }
  ]
}
```
Question 69mediummultiple choice
Read the full Supporting compliance requirements explanation →

Refer to the exhibit. A compliance officer is reviewing an Access Transparency log entry. Which compliance benefit does this log provide?

Exhibit

Refer to the exhibit.

```json
{
  "insertId": "xxx",
  "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Faccess_transparency",
  "protoPayload": {
    "methodName": "google.cloud.storage.Storage.GetObject",
    "principalEmail": "system@google.com",
    ...
  }
}
```
Question 70easymultiple choice
Read the full Supporting compliance requirements explanation →

A healthcare company subject to HIPAA must prevent data exfiltration from Google Cloud storage buckets. They already use VPC Service Controls. Which additional control should they configure to directly block unauthorized copying of data to external projects?

Question 71easymultiple choice
Read the full Supporting compliance requirements explanation →

A company needs to meet compliance requirements that mandate they be notified about all actions performed by Google personnel on their data. Which Google Cloud feature should they enable?

Question 72easymultiple choice
Read the full Supporting compliance requirements explanation →

A financial services company must comply with PCI DSS requirements for encryption key management. They want to use Google-managed keys with automatic rotation. Which key management solution should they choose?

Question 73mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation must store all data subject to GDPR in the European Union. They have multiple projects and want to enforce this at the organization level. Which approach should they use to prevent resource creation outside allowed locations?

Question 74mediummultiple choice
Read the full Supporting compliance requirements explanation →

A government agency requires FedRAMP High compliance for their Google Cloud deployment. Which service should they use to create a compliant environment with pre-configured controls?

Question 75mediummultiple choice
Read the full Supporting compliance requirements explanation →

A company wants to demonstrate to an auditor that all data access requests to a Cloud Storage bucket are logged, but they must exclude a specific service account from logging to reduce noise. What should they do to remain compliant with their audit policy?

Question 76hardmultiple choice
Read the full Supporting compliance requirements explanation →

A company handling credit card information must comply with PCI DSS. They use Cloud KMS with CMEK keys stored in a key ring. During a compliance audit, the auditor asks how keys are protected against unauthorized use by Google. What should the company explain?

Question 77hardmultiple choice
Read the full Supporting compliance requirements explanation →

A company needs to respond to a GDPR data subject deletion request for a user's data stored across BigQuery and Cloud Storage. The data must be completely erased upon request. What is the most effective approach to ensure compliance?

Question 78hardmultiple choice
Read the full Supporting compliance requirements explanation →

A company uses Forseti Security to monitor their GCP environment for compliance violations. They want to automatically enforce policies that prevent the deployment of resources without required labels. What should they do?

Question 79mediummulti select
Read the full Supporting compliance requirements explanation →

A company must enforce that no data can be accessed from outside a specific set of Google Cloud projects. They want to ensure that only authorized services can communicate between projects. Which TWO controls should they implement? (Choose TWO.)

Question 80hardmulti select
Read the full Supporting compliance requirements explanation →

A healthcare organization is migrating to Google Cloud and needs to achieve HIPAA compliance. Which THREE actions are required to meet HIPAA requirements on GCP? (Choose THREE.)

Question 81easymulti select
Read the full Supporting compliance requirements explanation →

A company must ensure that all data stored in Google Cloud remains within specific geographic regions to meet data residency regulations. Which TWO methods enforce data location restrictions? (Choose TWO.)

Question 82easymultiple choice
Read the full Supporting compliance requirements explanation →

Refer to the exhibit. A compliance officer sees this Organization Policy applied at the organization level. Which compliance requirement does this policy primarily address?

Exhibit

{
  "constraint": "constraints/gcp.resourceLocations",
  "listPolicy": {
    "allowedValues": ["us-central1", "us-east1"]
  }
}
Question 83mediummultiple choice
Read the full Supporting compliance requirements explanation →

Refer to the exhibit. A security engineer configured Data Access audit logs for all services. During a compliance audit, the auditor flags this configuration as deficient. What is the most likely reason?

Exhibit

audit_config {
  service = "allServices"
  audit_log_configs {
    log_type = "DATA_READ"
    exempted_members = ["serviceAccount:my-service-account@my-project.iam.gserviceaccount.com"]
  }
  audit_log_configs {
    log_type = "DATA_WRITE"
    exempted_members = []
  }
}
Question 84hardmultiple choice
Read the full Supporting compliance requirements explanation →

Refer to the exhibit. A company configured this VPC Service Controls perimeter for a PCI DSS project. The compliance auditor notes that BigQuery data can be accessed from outside the perimeter. Which change must be made to restrict access to BigQuery?

Exhibit

{
  "name": "projects/123/locations/global/perimeters/pci-perimeter",
  "status": {
    "resources": ["projects/123"],
    "restrictedServices": ["bigquery.googleapis.com"],
    "vpcAccessibleServices": {
      "allowedServices": ["storage.googleapis.com"]
    }
  }
}
Question 85mediummultiple choice
Read the full Supporting compliance requirements explanation →

A healthcare company must export Cloud Audit Logs to an external SIEM for HIPAA compliance. The logs must be retained for 7 years and be immutable. Which solution meets these requirements with minimal operational overhead?

Question 86hardmultiple choice
Read the full NAT/PAT explanation →

A financial institution is subject to GDPR and requires encryption at rest for all data in Cloud Storage. They want to use CMEK but also need to log all key access events. Which combination of services meets both requirements with least effort?

Question 87easymultiple choice
Read the full Supporting compliance requirements explanation →

A company must ensure that only authorized users can access sensitive data in Cloud Storage for PCI DSS compliance. They have configured a bucket with uniform bucket-level access. Which IAM policy should they use to grant access to a security team?

Question 88mediummultiple choice
Read the full NAT/PAT explanation →

A multi-national corporation must prevent data exfiltration from a project containing PII for GDPR compliance. They want to restrict access to only allow data transfer within the organization. Which Google Cloud service meets this requirement?

Question 89hardmultiple choice
Study the full ACL explanation →

A gaming company must comply with the Children's Online Privacy Protection Act (COPPA). They use BigQuery to store user data, including age. They want to automatically classify and restrict access to data of users under 13. Which approach should they take?

Question 90easymultiple choice
Read the full Supporting compliance requirements explanation →

A company uses Cloud Audit Logs for compliance and needs to ensure that logs are not tampered with. Which feature should they enable?

Question 91mediummultiple choice
Read the full Supporting compliance requirements explanation →

A pharmaceutical company uses Google Cloud to process clinical trial data subject to HIPAA. They must ensure that only authorized applications can access the data, even if credentials are compromised. Which security control should they implement?

Question 92easymultiple choice
Read the full Supporting compliance requirements explanation →

A company needs to meet SOC 2 requirements for change management. They want to log all changes to IAM policies in their Google Cloud organization. What should they do?

Question 93hardmultiple choice
Read the full Supporting compliance requirements explanation →

A company is using Forseti for compliance automation. They need to ensure that all Cloud Storage buckets are encrypted with CMEK and that buckets without CMEK are flagged. Which Forseti scanner should they use?

Question 94mediummulti select
Read the full Supporting compliance requirements explanation →

Which TWO actions are required to meet FedRAMP Moderate baseline for Google Cloud?

Question 95hardmulti select
Read the full Supporting compliance requirements explanation →

Which THREE steps are necessary to meet SOC 2 Type II requirements using Google Cloud?

Question 96easymulti select
Read the full Supporting compliance requirements explanation →

Which TWO organization policies can help enforce compliance with data residency requirements?

Question 97hardmultiple choice
Read the full Supporting compliance requirements explanation →

A financial services company is migrating to Google Cloud and needs to meet SOX compliance. They have a production project containing a Cloud SQL instance with financial transactions. They must ensure that all database changes are logged, and logs are immutable for 7 years. They enabled Cloud Audit Logs for Cloud SQL and created a log sink to export Admin Activity logs to Cloud Storage. However, during a quarterly audit, the auditor cannot find logs for some SELECT queries that accessed sensitive columns. The company expected these SELECT queries to appear in audit logs because they enabled Data Access audit logs for Cloud SQL. You discover that the Data Access audit logs were enabled at the project level, but the log sink only exports Admin Activity logs. Additionally, auditors require that logs cannot be deleted before the retention period. What should you do?

Question 98mediummultiple choice
Read the full Supporting compliance requirements explanation →

A healthcare startup is using Google Cloud to process Protected Health Information (PHI) for a clinical study. They are HIPAA-compliant and use Cloud Storage with CMEK. They also use BigQuery to run analytics on de-identified data. The security team notices that some PHI data appears in BigQuery query results. Upon investigation, they find that a data engineer created a BigQuery table that directly references the Cloud Storage bucket containing PHI without using the de-identification pipeline. The startup needs to prevent any direct access to Cloud Storage from BigQuery unless it goes through the pipeline. They also need to ensure that any new datasets are automatically subject to the same restrictions. What should they do?

Question 99easymultiple choice
Read the full Supporting compliance requirements explanation →

A company in the EU is moving to Google Cloud and must comply with GDPR data residency requirements. They have users across multiple EU countries and want to ensure that personal data remains within the European Economic Area (EEA). They plan to use Cloud Storage, BigQuery, and Compute Engine. The security administrator sets organization policies to restrict resource locations to europe-west1, europe-west3, and europe-west4. After deploying applications, the compliance team finds that some data is stored in a Cloud Storage bucket in us-central1. Investigation shows that the bucket was created by a developer who manually chose the region. The organization policy seems to have been bypassed. The administrator confirms the policy is active and applied to the project. What is the most likely cause?

Question 100mediummulti select
Read the full NAT/PAT explanation →

A multinational corporation must comply with GDPR requirements for storing and processing personal data of EU citizens. The company is using Google Cloud and wants to ensure that data remains within the European Union. Which TWO actions should the organization take? (Select TWO.)

Question 101easymultiple choice
Read the full Supporting compliance requirements explanation →

A healthcare organization is deploying a new application on Google Cloud that will process protected health information (PHI) subject to HIPAA. The security team has enabled encryption at rest using Google-managed keys and configured Cloud Audit Logs. During a compliance review, the auditor notes that the organization has not yet signed a Business Associate Agreement (BAA) with Google Cloud. What should the organization do to remediate this issue?

Question 102easymultiple choice
Read the full Supporting compliance requirements explanation →

A financial services company is deploying a new payment processing system on Google Cloud that must comply with PCI DSS. The system processes credit card data. The security team has implemented encryption at rest and in transit, and uses Private Google Access for VPC communication. During a PCI assessment, the assessor points out that the company is missing a critical control: the need to regularly scan the external IP addresses of the VMs for vulnerabilities. What should the company do to address this requirement?

Question 103mediummultiple choice
Read the full Supporting compliance requirements explanation →

A global e-commerce company is using Google Cloud to store customer data subject to GDPR. They have implemented data residency controls to keep data within the EU. However, during a routine audit, the compliance team discovers that some backups of customer data are being replicated to a US region due to a misconfigured backup policy. The data includes personal information. The company must ensure that all data remains within the EU. What should the team do to prevent this from recurring and remediate the current situation?

Question 104mediummultiple choice
Read the full Supporting compliance requirements explanation →

A government agency is migrating to Google Cloud and must comply with FedRAMP requirements. They need to ensure that only FedRAMP authorized Google Cloud services are used in their project. The security team has enabled Organization Policies and created a custom policy to restrict allowed services to a specific list. However, when a developer tries to create a Cloud SQL instance, the operation is denied. The developer receives an error: 'The organization policy constraint compute.restrictNonPdServices is not allowing this resource.' The developer is trying to create a Cloud SQL instance, which is a FedRAMP authorized service. What is the most likely cause of the denial?

Question 105hardmultiple choice
Read the full NAT/PAT explanation →

A large healthcare organization is migrating its on-premises data center to Google Cloud. The organization must comply with HIPAA and has signed a BAA with Google Cloud. They plan to use BigQuery for analytics on PHI data. The security team has enabled encryption at rest with CMEK and has configured VPC Service Controls to prevent data exfiltration. During a penetration test, the testers discovered that they could query the BigQuery dataset using a service account that has BigQuery Data Viewer role from a non-VPC-SC-compliant network. This could allow unauthorized access to PHI data. The team needs to restrict all access to the BigQuery dataset to only originate from within the VPC perimeter defined by VPC Service Controls. What should the team do to enforce this requirement?

Question 106mediummulti select
Read the full NAT/PAT explanation →

A multinational company is migrating sensitive workloads to Google Cloud and must comply with GDPR data residency requirements. Which TWO actions ensure data remains stored only within the European Union? (Choose TWO.)

Question 107hardmultiple choice
Read the full Supporting compliance requirements explanation →

An organization is configuring a Cloud Storage bucket for a regulated workload. The bucket configuration shown in the exhibit was applied. Which compliance requirement is this configuration primarily designed to address?

Exhibit

Refer to the exhibit.

```json
{
  "kind": "storage#bucket",
  "name": "compliance-bucket",
  "retentionPolicy": {
    "retentionPeriod": "31536000",
    "effectiveTime": "2024-01-01T00:00:00Z",
    "isLocked": true
  },
  "iamConfiguration": {
    "uniformBucketLevelAccess": {
      "enabled": true
    }
  }
}
```
Question 108easymultiple choice
Read the full Supporting compliance requirements explanation →

A company has a compliance policy requiring that all data at rest in Cloud Storage be encrypted with a Cloud KMS key that is rotated every 90 days. The company uses CMEK with automatic key rotation enabled. An auditor discovers that some older objects in a bucket were created with a previous key version that has since been disabled. The compliance team requires that all objects be re-encrypted with the current key version. The bucket does not have object versioning enabled. What should the security engineer do to remediate this issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCSE Practice Test 1 — 10 Questions→PCSE Practice Test 2 — 10 Questions→PCSE Practice Test 3 — 10 Questions→PCSE Practice Test 4 — 10 Questions→PCSE Practice Test 5 — 10 Questions→PCSE Practice Exam 1 — 20 Questions→PCSE Practice Exam 2 — 20 Questions→PCSE Practice Exam 3 — 20 Questions→PCSE Practice Exam 4 — 20 Questions→Free PCSE Practice Test 1 — 30 Questions→Free PCSE Practice Test 2 — 30 Questions→Free PCSE Practice Test 3 — 30 Questions→PCSE Practice Questions 1 — 50 Questions→PCSE Practice Questions 2 — 50 Questions→PCSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuring network securityConfiguring access within a cloud solution environmentEnsuring data protectionManaging operations in a cloud solution environmentSupporting compliance requirements

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Supporting compliance requirements setsAll Supporting compliance requirements questionsPCSE Practice Hub