Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Ensuring data protection practice sets

PCSE Ensuring data protection • Complete Question Bank

PCSE Ensuring data protection — All Questions With Answers

Complete PCSE Ensuring data protection question bank — all 0 questions with answers and detailed explanations.

92
Questions
Free
No signup
Certifications/PCSE/Practice Test/Ensuring data protection/All Questions
Question 1mediummultiple choice
Read the full Ensuring data protection explanation →

A company stores sensitive customer data in Cloud Storage. They want to ensure that data is encrypted at rest using customer-managed encryption keys (CMEK) and that access to the key is audited. Which approach should they use?

Question 2hardmultiple choice
Read the full Ensuring data protection explanation →

A security engineer needs to protect sensitive data in BigQuery. The data includes columns with personally identifiable information (PII). They want to automatically mask PII data for users with the role 'analyst' but allow full access for 'admin' users. Which approach should they use?

Question 3easymultiple choice
Read the full Ensuring data protection explanation →

A company is using Cloud SQL for MySQL to store financial data. They need to ensure that all data is encrypted at rest and in transit. What should they do?

Question 4mediummultiple choice
Read the full Ensuring data protection explanation →

A company is migrating on-premises data to Cloud Storage. They have regulatory requirements to encrypt data using keys managed by their on-premises hardware security module (HSM). Which solution should they use?

Question 5hardmultiple choice
Read the full Ensuring data protection explanation →

A company has a Cloud Storage bucket containing sensitive data. They want to ensure that only users with specific IAM roles can access the bucket, and that access is logged for audit purposes. They also want to prevent public access. Which configuration steps should they take?

Question 6mediummulti select
Read the full Ensuring data protection explanation →

A company is using Cloud Data Loss Prevention (DLP) to inspect and de-identify sensitive data in Cloud Storage. They want to classify data using infoTypes and apply de-identification techniques. Which TWO actions should they take?

Question 7hardmulti select
Read the full Ensuring data protection explanation →

A company uses BigQuery to store sensitive data and wants to implement data masking using policy tags. They have three user groups: data_engineers (full access), data_analysts (masked PII), and data_scientists (masked financial data). Which THREE steps should they take?

Question 8mediummultiple choice
Read the full Ensuring data protection explanation →

A security engineer runs the command in the exhibit. The command fails with an error: 'Permission denied: cryptoKeyVersions.encrypt'. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
gcloud kms encrypt \
  --location=global \
  --keyring=my-keyring \
  --key=my-key \
  --plaintext-file=secret.txt \
  --ciphertext-file=secret.enc
```
Question 9hardmultiple choice
Read the full Ensuring data protection explanation →

A security engineer reviews the IAM policy for a Cloud Storage bucket as shown in the exhibit. Alice reports that she cannot upload objects to the bucket, while Bob can view objects. What is the most likely issue?

Exhibit

Refer to the exhibit.

```
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "user:bob@example.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "user:alice@example.com"
      ]
    }
  ]
}
```
Question 10mediummultiple choice
Read the full Ensuring data protection explanation →

A company stores sensitive customer data in Cloud Storage and uses CMEK with Cloud KMS. They want to ensure that data in transit to the storage bucket is always encrypted using TLS 1.2 or higher. Which configuration should they implement?

Question 11hardmultiple choice
Read the full Ensuring data protection explanation →

A healthcare organization stores PHI in BigQuery tables with row-level access policies. They need to ensure that data is automatically de-identified when exported to Cloud Storage for analytics. What is the most scalable solution with minimal manual intervention?

Question 12easymultiple choice
Read the full Ensuring data protection explanation →

A company uses Cloud KMS to protect encryption keys for their Cloud SQL databases. They want to rotate keys every 30 days and ensure that old keys are retained for at least 90 days. What is the recommended approach?

Question 13mediummulti select
Read the full Ensuring data protection explanation →

Which TWO actions should a security engineer take to protect sensitive data in Cloud Storage buckets from accidental public exposure? (Choose two.)

Question 14hardmulti select
Read the full Ensuring data protection explanation →

Which THREE steps are required to implement field-level encryption for sensitive columns in a Cloud SQL for PostgreSQL database using Cloud KMS? (Choose three.)

Question 15mediummultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. A security engineer runs this command to check bucket permissions. What is the most significant security issue?

Exhibit

Resource: bucket 'my-data-bucket'
  IAM policy:
  - role: roles/storage.objectViewer
    members:
    - user:alice@example.com
    - domain:example.com
  - role: roles/storage.legacyBucketReader
    members:
    - allUsers
  Uniform bucket-level access: disabled
  ACLs:
  - entity: allUsers
    role: READER
Question 16mediummulti select
Read the full NAT/PAT explanation →

You are a security engineer for a healthcare organization. You need to protect sensitive patient data stored in Cloud Storage. You want to ensure that data is encrypted at rest using a customer-managed key (CMEK) and that access to the key is logged. You also need to prevent data exfiltration by limiting which service accounts can decrypt data. Which TWO steps should you take? (Choose two.)

Question 17hardmultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. You are analyzing the IAM policy for a project. You need to ensure that only authenticated users can access objects in bucket1 under the prefix "reports/". Which of the following statements is correct?

Exhibit

IAM policy for project my-project:

bindings:
- members:
  - user:alice@example.com
  - serviceAccount:sa-1@my-project.iam.gserviceaccount.com
  role: roles/storage.objectViewer
  condition:
    expression: resource.name.startsWith("projects/_/buckets/bucket1/objects/reports/")
- members:
  - user:bob@example.com
  role: roles/storage.objectAdmin
- members:
  - user:bob@example.com
  role: roles/compute.admin
- members:
  - serviceAccount:sa-1@my-project.iam.gserviceaccount.com
  role: roles/iam.workloadIdentityUser
- members:
  - serviceAccount:my-project@appspot.gserviceaccount.com
  role: roles/storage.objectAdmin
Question 18easymultiple choice
Read the full Ensuring data protection explanation →

Your company runs a data analytics platform on Google Cloud that processes sensitive financial data. Data is ingested from various sources into a Cloud Storage bucket, then processed by Dataflow jobs, and final results are stored in BigQuery. You have implemented the following security controls: - VPC Service Controls perimeter around the project - Cloud KMS CMEK for all storage services - IAM conditions restricting access based on tags - Cloud Audit Logs enabled for all services

Recently, an auditor discovered that a compromised service account was able to read data from the Cloud Storage bucket even though it was outside the VPC Service Controls perimeter. The auditor reviewed the logs and found that the access came from a Compute Engine instance that was running within the same project. What is the most likely reason the VPC Service Controls perimeter did not block this access?

Question 19mediumdrag order
Read the full Ensuring data protection explanation →

Drag and drop the steps to rotate a customer-managed encryption key (CMEK) in Cloud KMS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 20mediumdrag order
Read the full Ensuring data protection explanation →

Drag and drop the steps to configure a security scanner to scan a web application in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediummatching
Read the full Ensuring data protection explanation →

Match each CVE or security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Log4j remote code execution vulnerability

Heartbleed OpenSSL vulnerability

Apache Struts2 remote code execution

Windows CryptoAPI spoofing vulnerability

BlueKeep RDP remote code execution

Question 22mediummatching
Read the full Ensuring data protection explanation →

Match each access control mechanism to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identity and Access Management for resource-level permissions

Constraints applied at the organization node

Service perimeters to prevent data exfiltration

Network-level allow/deny rules for VMs

Identity-Aware Proxy for application-level access

Question 23easymultiple choice
Read the full Ensuring data protection explanation →

A company stores sensitive customer data in Cloud Storage. They want to ensure that only users with explicit IAM permissions can decrypt the data, and that Google does not have access to the encryption keys. Which encryption option should they use?

Question 24easymultiple choice
Read the full Ensuring data protection explanation →

A security engineer needs to audit all attempts to access a Cloud Storage bucket, including successful and failed attempts. Which logging option should they enable?

Question 25easymultiple choice
Read the full Ensuring data protection explanation →

An organization wants to prevent data exfiltration from a Google Cloud project by restricting the copying of data from Cloud Storage to external IPs. Which Google Cloud service should they use?

Question 26mediummultiple choice
Read the full Ensuring data protection explanation →

A company uses BigQuery to store analytics data. They need to restrict access to specific rows based on the user's department. What should they implement?

Question 27mediummultiple choice
Read the full Ensuring data protection explanation →

A financial institution uses Cloud KMS to manage encryption keys. They want to ensure that key material is never exported from the KMS service. Which key protection method should they use?

Question 28mediummultiple choice
Read the full Ensuring data protection explanation →

A healthcare organization stores Protected Health Information (PHI) in Cloud Storage. They need to de-identify data before sharing it with researchers. Which service should they use?

Question 29hardmultiple choice
Read the full Ensuring data protection explanation →

A company uses Cloud SQL for MySQL with automated backups. They want to ensure that backup data is encrypted with a key that they manage and rotate on a schedule, separate from the primary database encryption. What should they do?

Question 30hardmultiple choice
Read the full Ensuring data protection explanation →

An organization uses BigQuery with column-level security. They have a column containing social security numbers (SSNs) that should only be visible to users with the 'PII_Viewer' role. How should they configure this?

Question 31hardmultiple choice
Read the full Ensuring data protection explanation →

A company uses Cloud Storage with CMEK. The Cloud KMS key is disabled accidentally by an administrator. What will happen to existing objects encrypted with that key?

Question 32easymulti select
Read the full Ensuring data protection explanation →

A security engineer is designing data protection for Cloud Storage. Which TWO methods can be used to enforce encryption at rest for objects? (Choose TWO.)

Question 33mediummulti select
Read the full Ensuring data protection explanation →

A company is implementing data loss prevention (DLP) for BigQuery. Which THREE capabilities are provided by Cloud DLP? (Choose THREE.)

Question 34hardmulti select
Read the full Ensuring data protection explanation →

An organization wants to ensure that only compute instances in a specific VPC can access a Cloud Storage bucket. They also want to prevent the bucket data from being downloaded to an external IP. Which TWO services should they combine? (Choose TWO.)

Question 35easymultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. A security engineer runs the following command to check encryption settings on a Cloud Storage bucket. What does the output indicate about encryption?

Network Topology
gsutil kms encryption gs://my-bucketshow-default-key
Question 36mediummultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. A security engineer runs the following IAM policy command for a Cloud Storage bucket. What access does the bindings grant?

Exhibit

gsutil iam get gs://my-bucket
Output:
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "domain:example.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "serviceAccount:sa@project.iam.gserviceaccount.com"
      ]
    }
  ],
  "etag": "B=XYZ"
}
Question 37hardmultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. A security administrator is troubleshooting why a user cannot access a BigQuery dataset. The user analyst@example.com is not a member of data-team@example.com. The user is trying to query a table in the dataset. What is the most likely reason for the denial?

Exhibit

{
  "bindings": [
    {
      "role": "roles/bigquery.dataViewer",
      "members": [
        "user:analyst@example.com"
      ]
    },
    {
      "role": "roles/bigquery.dataOwner",
      "members": [
        "group:data-team@example.com"
      ]
    }
  ],
  "etag": "ABC"
}
Question 38easymultiple choice
Read the full Ensuring data protection explanation →

A financial institution wants to encrypt data in Cloud Storage using keys that they rotate monthly through Cloud KMS. Which key management option should they use?

Question 39mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is required to protect sensitive data in BigQuery using column-level encryption. They want to use a customer-managed key stored in Cloud KMS. What is the correct approach?

Question 40hardmultiple choice
Read the full Ensuring data protection explanation →

A company uses Cloud SQL for PostgreSQL with CMEK. They need to ensure that the Cloud SQL instance can only be accessed by authorized compute resources that have the correct IAM permissions to decrypt the data. What additional configuration is required to enforce access control?

Question 41easymultiple choice
Read the full Ensuring data protection explanation →

A developer accidentally committed a file containing a service account key to a public GitHub repository. Which action should be taken immediately to invalidate the compromised key?

Question 42easymultiple choice
Read the full Ensuring data protection explanation →

You want to encrypt data in Google Cloud Storage using a key that is managed and stored in a third-party key management system outside of Google Cloud. Which feature should you use?

Question 43hardmultiple choice
Read the full Ensuring data protection explanation →

A company uses Cloud KMS to protect encryption keys for various applications. They need to ensure that keys are automatically rotated every 90 days and that the rotation does not require re-encrypting all data. Which key type and rotation strategy should they use?

Question 44easymultiple choice
Read the full Ensuring data protection explanation →

An organization uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically remove credit card numbers before the data is accessed by analysts but still allow the raw data for auditing purposes. Which DLP technique should they use?

Question 45mediummultiple choice
Read the full Ensuring data protection explanation →

A company is deploying a microservices architecture on Google Kubernetes Engine (GKE). They need to securely store and access database credentials, API keys, and other secrets. They want to avoid storing secrets in plaintext in the container image or Kubernetes manifests. Which solution should they use?

Question 46hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is designing a data pipeline that ingests patient health records into Cloud Storage, then processes them with Dataflow for analytics. They must ensure that data is encrypted at rest and in transit, and that only authorized users can access the raw data. They also need to guarantee that the encryption keys are stored outside of Google Cloud. Which solution meets all requirements?

Question 47easymulti select
Read the full Ensuring data protection explanation →

Which two Cloud Storage encryption options allow the customer to supply or manage the encryption keys? (Choose two.)

Question 48hardmulti select
Read the full Ensuring data protection explanation →

Which three actions help protect Cloud KMS key material? (Choose three.)

Question 49mediummulti select
Read the full Ensuring data protection explanation →

Which two best practices for managing secrets in Secret Manager? (Choose two.)

Question 50mediummultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. A security engineer has created this IAM policy for a Cloud KMS key. The service account my-sa is used by a Compute Engine VM to encrypt data before storing it in Cloud Storage. User alice needs to decrypt the data for analysis. Which statement is true?

Exhibit

{
  "bindings": [
    {
      "role": "roles/cloudkms.cryptoKeyEncrypter",
      "members": [
        "serviceAccount:my-sa@project.iam.gserviceaccount.com"
      ]
    },
    {
      "role": "roles/cloudkms.cryptoKeyDecrypter",
      "members": [
        "user:alice@example.com"
      ]
    }
  ]
}
Question 51hardmultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. Based on the exhibit, the corporate security policy requires that all Cloud KMS symmetric keys have automatic rotation enabled. Which statement is true?

Network Topology
gcloud kms keys listkeyring=my-keyringlocation=globalformat=json"name": "my-keyring/encryption-key","labels": {"env": "prod"},"rotationPeriod": "7776000s","primary": {"name": "encryption-key/cryptoKeyVersions/2","state": "ENABLED""name": "my-keyring/decryption-key","labels": {},"rotationPeriod": null,"name": "decryption-key/cryptoKeyVersions/1",
Question 52mediummultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. A security engineer needs to ensure that all objects uploaded to the bucket are automatically encrypted with the specified KMS key. They also need to preserve older versions of objects. Which statement accurately describes the bucket configuration?

Exhibit

gsutil ls -L gs://my-secure-bucket | grep -E 'Kind|Encryption|Versioning'
{
  "kind": "storage#bucket",
  "encryption": {
    "defaultKmsKeyName": "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"
  },
  "versioning": {
    "enabled": true
  }
}
Question 53easymultiple choice
Read the full Ensuring data protection explanation →

A company wants to ensure that all data stored in Cloud Storage buckets is encrypted with a customer-managed key (CMEK) that is managed in Cloud KMS. The security team requires that only authorized applications can access the key. Which configuration step should be taken to achieve this?

Question 54easymultiple choice
Read the full Ensuring data protection explanation →

A company uses Cloud Data Loss Prevention (DLP) to inspect sensitive data in Cloud Storage. They want to automatically redact credit card numbers found in text files before the files are accessed by downstream applications. Which DLP method should be used?

Question 55easymultiple choice
Read the full NAT/PAT explanation →

A multinational organization must store customer data only in specific geographic regions to comply with data residency regulations. They use Cloud Spanner for their primary database. What should they do to enforce that data is stored only in approved regions?

Question 56mediummultiple choice
Read the full Ensuring data protection explanation →

A security engineer needs to encrypt data at rest in Cloud Storage using a key that is not managed by Google Cloud. The key must be stored on-premises and provided with each API call for data access. Which encryption approach should be used?

Question 57mediummultiple choice
Read the full Ensuring data protection explanation →

A company uses VPC Service Controls to protect data in BigQuery and Cloud Storage. They need to allow a third-party application running outside the service perimeter to query BigQuery datasets within the perimeter. What should they configure?

Question 58mediummultiple choice
Read the full Ensuring data protection explanation →

A financial institution uses Cloud HSM to protect cryptographic keys used for signing sensitive transactions. They want to ensure that keys are never exportable and that key usage is logged. Which key type should they create in Cloud HSM?

Question 59hardmultiple choice
Read the full Ensuring data protection explanation →

An organization uses Cloud DLP to scan a Cloud SQL database for PII. They want to automatically pseudonymize email addresses found in a specific column using a deterministic encryption that can be reversed for authorized users. The key must be stored in Cloud KMS. Which DLP transformation should they configure?

Question 60hardmultiple choice
Read the full Ensuring data protection explanation →

A security team has a Cloud KMS key used for encrypting Cloud Storage objects. They need to ensure that when the key is rotated, old data remains decryptable without manual re-encryption. They also want to minimize the number of key versions. Which approach should they take?

Question 61hardmultiple choice
Read the full Ensuring data protection explanation →

A company needs to meet a regulatory requirement that cryptographic keys for data at rest in Google Cloud must be managed in an on-premises HSM and never leave the HSM. Google Cloud services should be able to use those keys for encryption/decryption. Which solution should they implement?

Question 62easymulti select
Read the full VPN explanation →

Which TWO of the following are valid methods to protect data in transit between on-premises and Google Cloud using Cloud VPN?

Question 63mediummulti select
Read the full Ensuring data protection explanation →

Which THREE of the following are best practices for using Cloud DLP to protect sensitive data in BigQuery?

Question 64hardmulti select
Read the full Ensuring data protection explanation →

A company is implementing confidential VMs with Shielded VM and data encryption. Which two actions must be taken to ensure data protection for confidential compute workloads?

Question 65easymultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. A security engineer sees this configuration for a Cloud Storage bucket. What does this indicate about the encryption of objects in this bucket?

Exhibit

$ gcloud storage buckets describe gs://my-bucket --format="json" | jq .encryption
{
  "defaultKmsKeyName": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key"
}
Question 66mediummultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. A security engineer is reviewing a Cloud KMS key. What can be concluded about this key?

Exhibit

{
  "name": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key",
  "primary": {
    "name": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/2",
    "state": "ENABLED",
    "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION",
    "protectionLevel": "HSM",
    "attestation": {
      "certChains": [...]
    }
  },
  "versionTemplate": {
    "protectionLevel": "HSM",
    "algorithm": "GOOGLE_SYMMETRIC_ENCRYPTION"
  }
}
Question 67hardmultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. An auditor notices this log entry. Which of the following is true about this event?

Exhibit

{
  "protoPayload": {
    "methodName": "CloudKms.Decrypt",
    "resourceName": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key/cryptoKeyVersions/3",
    "authenticationInfo": {
      "principalEmail": "service-account@project.iam.gserviceaccount.com"
    },
    "metadata": {
      "key": {
        "key_kms_keypath": "projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key"
      },
      "decrypt_result": {
        "success": true
      }
    }
  },
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "cloudkms.googleapis.com",
      "method": "Decrypt"
    }
  }
}
Question 68easymultiple choice
Read the full Ensuring data protection explanation →

A company wants to ensure that all data stored in Cloud Storage buckets is encrypted at rest using a customer-managed key that is automatically rotated every 90 days. What should they do?

Question 69mediummultiple choice
Read the full NAT/PAT explanation →

A multinational organization must ensure that data for European users is stored only within the European Union to comply with GDPR. They use Cloud Storage and BigQuery. Which design should they implement?

Question 70hardmultiple choice
Read the full Ensuring data protection explanation →

A security engineer needs to configure Cloud KMS key rotation so that existing ciphertext can still be decrypted with old key versions, but new encryption uses the latest version. Which key management practice meets this requirement?

Question 71easymultiple choice
Read the full Ensuring data protection explanation →

A retail company hosts an e-commerce website on Compute Engine behind an HTTPS load balancer. They want to encrypt traffic between the load balancer and backend instances. What should they do?

Question 72mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization ingests patient data into Cloud Storage and then processes it with Dataflow. They need to de-identify sensitive fields like Social Security numbers before storing in BigQuery. Which approach should they use?

Question 73hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company wants to ensure that Google Cloud staff cannot access their encryption keys or the plaintext data. They must meet regulatory requirements for data sovereignty. Which combination of services should they use?

Question 74easymultiple choice
Read the full Ensuring data protection explanation →

A small business stores backup archives in Cloud Storage and wants to encrypt them at rest using a key that is automatically rotated annually. They do not want to manage key material themselves. Which encryption option should they use?

Question 75mediummultiple choice
Read the full Ensuring data protection explanation →

A company uses Cloud Functions to process employee data and wants to ensure that personally identifiable information (PII) is redacted from log output. Which approach should they take?

Question 76hardmultiple choice
Read the full Ensuring data protection explanation →

A company must comply with PCI DSS requirements that mandate the use of a hardware security module (HSM) for key storage. They plan to use Cloud KMS for key management. Which implementation meets compliance?

Question 77mediummulti select
Read the full Ensuring data protection explanation →

Which TWO options are required to use Cloud DLP to successfully inspect data in a Cloud Storage bucket?

Question 78hardmulti select
Read the full Ensuring data protection explanation →

Which THREE are best practices for managing encryption keys in Google Cloud?

Question 79easymulti select
Read the full Ensuring data protection explanation →

Which THREE Google Cloud services can encrypt data at rest?

Question 80hardmultiple choice
Read the full Ensuring data protection explanation →

Refer to the exhibit. The security team created this key for encrypting database backups. After an audit, they found that data encrypted before May 1, 2023, cannot be decrypted. What is the most likely cause?

Network Topology
location=globalkeyring=keyring-devRefer to the exhibit.```createTime: '2023-05-01T10:00:00Z'primary:name: projects/my-project/locations/global/keyRings/keyring-dev/cryptoKeys/test-key/cryptoKeyVersions/2state: ENABLEDprotectionLevel: HSMalgorithm: GOOGLE_SYMMETRIC_ENCRYPTIONattestation:format: CAVIUM_V3_COMPRESSEDed25519: <attestation_data>purpose: ENCRYPT_DECRYPTrotationPeriod: 7776000snextRotationTime: '2023-07-30T10:00:00Z'versionTemplate:
Question 81hardmultiple choice
Read the full Ensuring data protection explanation →

A global e-commerce company uses Google Cloud to host its platform. They store customer payment data in Cloud SQL and use Cloud Storage for backups. Currently, they rely on Google-managed encryption keys. A new compliance requirement mandates that all encryption keys must be stored in a hardware security module (HSM) and rotated every 30 days. Additionally, they need to retain backup data for 7 years, during which the keys used to encrypt the backups must be available for decryption. They have created a Cloud HSM key ring and a key with a rotation period of 2592000 seconds (30 days). After configuring Cloud SQL and Cloud Storage to use the Cloud HSM key, they notice that backups older than 30 days cannot be decrypted. The company's security engineer verified that the key versions are still present. What is the most likely cause and how should it be resolved?

Question 82mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare startup is building a data pipeline on Google Cloud. They receive patient data via a REST API running on Cloud Run. The data includes sensitive health information that must be de-identified before being stored in BigQuery. They plan to use Cloud DLP to inspect and transform the data. However, due to latency requirements, they need to de-identify the data within 5 seconds of receiving the request. They have set up a Cloud DLP job to inspect the data synchronously using the DLP API. During testing, they notice that the de-identification sometimes takes over 10 seconds, causing API timeouts. They want to reduce the latency without compromising security. What should they do?

Question 83mediummultiple choice
Read the full Ensuring data protection explanation →

A financial services company uses Cloud Storage to store sensitive customer data. They want to encrypt this data at rest using customer-managed encryption keys (CMEK) and automate key rotation every 90 days. Which approach should they take?

Question 84easymulti select
Read the full NAT/PAT explanation →

A healthcare organization needs to redact Social Security Numbers (SSNs) from patient records stored in Cloud Storage before sharing them with a research partner. They plan to use Cloud DLP. Which TWO actions should they take to configure the DLP job correctly? (Choose two.)

Question 85hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise runs analytics workloads on BigQuery containing sensitive financial data. They have implemented VPC Service Controls (VPC SC) to create a perimeter around the BigQuery dataset, allowing access only from a specific VPC network. Despite this, security auditors discovered that data was accessed from an IP address outside the perimeter. After investigation, they found the access originated from a user's personal laptop using the Google Cloud Console. The company's security policy requires that sensitive data can only be accessed from corporate-managed devices. What should they do to prevent this type of access?

Question 86mediummultiple choice
Read the full Ensuring data protection explanation →

A company runs a containerized application on Google Kubernetes Engine (GKE) that reads from a Cloud Storage bucket encrypted with a customer-managed key (CMEK) in Cloud KMS. The application uses a dedicated Google service account with the roles/storage.objectViewer role and a Cloud KMS CryptoKey Decrypter binding on the key. After a scheduled key rotation, the application started receiving '403 Access Denied' errors when accessing objects. The Cloud KMS key has multiple versions. The service account's IAM permissions have not changed. What is the most likely cause and the appropriate fix?

Question 87hardmultiple choice
Read the full Ensuring data protection explanation →

A large enterprise is using Cloud Data Loss Prevention (DLP) to inspect a Cloud Storage bucket containing millions of files for sensitive data like credit card numbers and health information. The DLP inspection job is configured to scan the entire bucket with a schedule. Recently, the job has been failing with a 'Quota exceeded' error for the DLP inspect requests quota. The team needs to continue inspecting all files without increasing the quota limit, as the quota increase request would take weeks. They cannot skip any files due to compliance requirements. What should they do to work around the quota limit while inspecting all files?

Question 88mediummultiple choice
Read the full Ensuring data protection explanation →

A development team uses Cloud Secret Manager to store database credentials for an application running on Compute Engine. The application reads the secret using the Secret Manager API. After the team rotates the secret by adding a new version and setting it as the latest, the application continues to use the old secret version and fails to authenticate. The application is configured to fetch the secret with version 'latest' at startup. The team checks that the Compute Engine service account has the roles/secretmanager.secretAccessor role on the secret. What is the most likely cause of the issue?

Question 89easymultiple choice
Read the full Ensuring data protection explanation →

A company runs a Cloud SQL for PostgreSQL instance that stores customer data. They must encrypt the database at rest using customer-managed encryption keys (CMEK) to meet regulatory requirements. The instance is currently using Google-managed encryption. What must they do to implement CMEK? The company wants to minimize downtime and avoid data loss.

Question 90hardmultiple choice
Read the full Ensuring data protection explanation →

Alice has the role roles/storage.objectAdmin on the bucket my-bucket via the IAM policy shown. She is unable to access the object gs://my-bucket/reports/data.csv. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "bindings": [
    {
      "role": "roles/storage.objectAdmin",
      "members": ["user:alice@example.com"],
      "condition": {
        "title": "restrict_to_uploads",
        "expression": "resource.name.startsWith('projects/_/buckets/my-bucket/objects/uploads/')"
      }
    }
  ]
}
Question 91easymulti select
Read the full Ensuring data protection explanation →

A company wants to encrypt data at rest in Cloud SQL. Which TWO methods are supported? (Choose TWO.)

Question 92mediummultiple choice
Read the full Ensuring data protection explanation →

A company operates a hybrid cloud environment with on-premises data centers and Google Cloud Platform. They store sensitive customer data in Cloud Storage buckets and use Data Loss Prevention (DLP) to scan for and inspect sensitive content. They have automated DLP inspection jobs that run periodically, but they want to automatically redact sensitive data (e.g., Social Security numbers) in any new object as soon as it is written to a specific bucket. The redacted version should replace the original object in the same bucket. Which of the following is the most effective and recommended approach?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCSE Practice Test 1 — 10 Questions→PCSE Practice Test 2 — 10 Questions→PCSE Practice Test 3 — 10 Questions→PCSE Practice Test 4 — 10 Questions→PCSE Practice Test 5 — 10 Questions→PCSE Practice Exam 1 — 20 Questions→PCSE Practice Exam 2 — 20 Questions→PCSE Practice Exam 3 — 20 Questions→PCSE Practice Exam 4 — 20 Questions→Free PCSE Practice Test 1 — 30 Questions→Free PCSE Practice Test 2 — 30 Questions→Free PCSE Practice Test 3 — 30 Questions→PCSE Practice Questions 1 — 50 Questions→PCSE Practice Questions 2 — 50 Questions→PCSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuring network securityConfiguring access within a cloud solution environmentEnsuring data protectionManaging operations in a cloud solution environmentSupporting compliance requirements

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Ensuring data protection setsAll Ensuring data protection questionsPCSE Practice Hub