PCA · topic practice

Design for security and compliance practice questions

Practise Google Professional Cloud Architect Design for security and compliance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Design for security and compliance

What the exam tests

What to know about Design for security and compliance

Design for security and compliance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Design for security and compliance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Design for security and compliance questions

20 questions · select your answer, then reveal the explanation

A company is migrating sensitive customer data to Google Cloud. They need to ensure data is encrypted at rest and in transit. Which Google Cloud service provides a centralized way to manage encryption keys used by Google Cloud services?

A financial services company runs a multi-tier application on Compute Engine. They need to restrict network access so that only the web tier can communicate with the application tier, and only the application tier can access the database tier. All VMs are in the same VPC network. What is the most secure way to implement this?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization uses Cloud Storage to store protected health information (PHI). They have a compliance requirement to ensure that all objects in the bucket are encrypted with a customer-managed key (CMK) that is rotated every 90 days. They also need to log all access to the bucket and detect anomalous access patterns. Which combination of Google Cloud services should they use?

An e-commerce platform uses Cloud SQL for MySQL to store user profiles and order history. The security team wants to ensure that database administrators (DBAs) cannot view plaintext credit card numbers stored in the database. They also want to minimize application changes. What should they do?

A company wants to ensure that only Compute Engine instances with a specific service account can access a Cloud Storage bucket. Which IAM condition should they use?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation operates in multiple regions and must comply with GDPR. They use Cloud Load Balancing to distribute traffic across regional backends. Their security team wants to block traffic from specific countries (e.g., non-EU countries) at the edge. What should they use?

Which TWO are recommended practices for securing a Kubernetes Engine (GKE) cluster?

Which THREE are valid methods to protect sensitive data in BigQuery?

Your company runs a multi-region web application on Google Kubernetes Engine (GKE) with pods that process sensitive user data. The application uses Cloud SQL for PostgreSQL as the backend database. Your security team has implemented the following controls: 1) All traffic to the database is encrypted using SSL/TLS. 2) The GKE cluster uses Workload Identity to bind Kubernetes service accounts to IAM service accounts. 3) The Cloud SQL instance is configured with a public IP address and authorized networks to allow only the GKE cluster's node IP ranges. 4) The database credentials are stored in Secret Manager and mounted as volumes in the pods. Recently, a security audit revealed that a pod was compromised due to a container vulnerability. The attacker was able to exfiltrate sensitive data directly from the Cloud SQL database using the credentials from Secret Manager. The security team wants to prevent such exfiltration in the future while minimizing changes to the application code. Which course of action should you recommend?

A company is migrating its on-premises workloads to Google Cloud. They have strict compliance requirements that all data at rest must be encrypted with customer-managed encryption keys (CMEK). Which Google Cloud service should they use to manage the lifecycle of these keys?

Which TWO of the following are valid methods to control access to Google Cloud resources using Identity and Access Management (IAM)?

An organization has set the IAM policy constraint 'constraints/iam.allowedPolicyMemberDomains' with the values shown. Which of the following users can be granted an IAM role on a project in this organization?

Exhibit

Refer to the exhibit.

```yaml
# organization_policy.yaml
constraint: constraints/iam.allowedPolicyMemberDomains
listPolicy:
  allowedValues:
    - C0xxxxxxx  # Google Cloud organization ID
    - A1b2C3d4E5f6G7h8I9j0K1l2M3n4O5p6  # Cloud Identity domain: example.com
```

Your company has a production environment on Google Cloud that includes Compute Engine instances, Cloud Storage buckets, and BigQuery datasets. Security policies require that all data at rest is encrypted with CMEK, and audit logs must be retained for 7 years. The current configuration uses Google-managed encryption keys. You have been asked to transition to CMEK for all resources. After enabling CMEK for new resources, you discover that the existing resources are not re-encrypted. To comply with the policy, you need to re-encrypt the existing data. What should you do?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier web application on Google Cloud. The application must comply with PCI DSS. Which combination of Google Cloud services should be used to restrict access to the database tier to only the application tier, while also encrypting data at rest and in transit?

An organization is implementing a data loss prevention (DLP) strategy for sensitive data stored in Cloud Storage. They want to automatically detect and redact credit card numbers in CSV files uploaded to a specific bucket. Which TWO Google Cloud services should they combine to achieve this?

Question 16easymultiple choice
Review the full subnetting walkthrough →

An engineer runs the above command and sees two firewall rules that allow SSH access. A security review requires that SSH access be allowed only from the bastion subnet 10.0.1.0/24. What should the engineer do to meet the requirement?

Network Topology
filter="allowed.ports:22"format=jsonRefer to the exhibit.```"name": "allow-ssh-ingress","network": "default","direction": "INGRESS","priority": 1000,"sourceRanges": ["0.0.0.0/0"],"allowed": [{"IPProtocol": "tcp", "ports": ["22"]}],"targetTags": ["ssh-allowed"]},"name": "allow-ssh-from-bastion","sourceRanges": ["10.0.1.0/24"],

Drag and drop the steps to configure a Cloud Load Balancer with a backend service consisting of Compute Engine instances into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to set up a shared VPC in Google Cloud for a multi-project environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each GCP compute service to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual machines with full control

Managed Kubernetes clusters

Serverless containers

Platform as a Service (PaaS)

Event-driven serverless functions

Match each GCP data processing service to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stream and batch data processing (Apache Beam)

Managed Hadoop and Spark clusters

Asynchronous messaging for event ingestion

Visual data integration pipelines

Workflow orchestration (Apache Airflow)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Design for security and compliance sessions

Start a Design for security and compliance only practice session

Every question in these sessions is drawn from the Design for security and compliance domain — nothing else.

Related practice questions

Related PCA topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCA exam test about Design for security and compliance?
Design for security and compliance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Design for security and compliance questions in a focused session?
Yes — the session launcher on this page draws every question from the Design for security and compliance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCA topics?
Use the topic links above to move to related areas, or go back to the PCA question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCA exam covers. They are not copied from any real exam or dump site.