CCNA Ensuring data protection Questions

75 of 92 questions · Page 1/2 · Ensuring data protection · Answers revealed

1
MCQmedium

A company stores sensitive customer data in Cloud Storage and uses CMEK with Cloud KMS. They want to ensure that data in transit to the storage bucket is always encrypted using TLS 1.2 or higher. Which configuration should they implement?

A.Use Cloud Armor to enforce HTTPS with a TLS 1.2 minimum.
B.Set the bucket's 'requireTls' transport security setting to 'true' in the bucket's IAM policy.
C.Configure the bucket to use CMEK with a key from Cloud HSM.
D.Add a bucket policy that denies requests with 'sslEnabled' set to 'false'.
AnswerB

This enforces TLS 1.2+ for all requests to the bucket.

Why this answer

Option B is correct because setting the bucket's 'requireTls' transport security setting to 'true' in the bucket's IAM policy enforces that all requests to the bucket must use TLS 1.2 or higher. This is a bucket-level policy condition that directly controls the encryption of data in transit, ensuring that any HTTP request without TLS 1.2+ is denied.

Exam trap

Google Cloud often tests the distinction between data-at-rest encryption (CMEK, CSEK) and data-in-transit encryption (TLS), leading candidates to incorrectly choose CMEK or HSM options when the question explicitly asks about transit security.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall and DDoS protection service that operates at the HTTP(S) load balancer level, not at the Cloud Storage bucket level, and it cannot enforce transport encryption directly on storage bucket requests. Option C is wrong because CMEK with Cloud HSM encrypts data at rest using customer-managed keys, not data in transit; it does not enforce TLS version requirements. Option D is wrong because there is no 'sslEnabled' condition in Cloud Storage IAM policies; the correct condition is 'requireTls' in the bucket's transport security settings, not a deny policy with a non-existent attribute.

2
Multi-Selectmedium

A company is implementing data loss prevention (DLP) for BigQuery. Which THREE capabilities are provided by Cloud DLP? (Choose THREE.)

Select 3 answers
A.Redacting sensitive data in query results.
B.Auditing all queries that access sensitive columns.
C.Classifying data using built-in infoTypes.
D.Encrypting entire tables with customer-managed keys.
E.De-identifying data using masking, tokenization, or pseudonymization.
AnswersA, C, E

DLP can redact sensitive data in real-time during queries.

Why this answer

Option A is correct because Cloud DLP can inspect and redact sensitive data directly in BigQuery query results. When you configure a DLP job or use the DLP API with BigQuery, you can specify infoTypes to detect and then redact matching values before returning the results to the user, preventing exposure of sensitive information like credit card numbers or PII.

Exam trap

Google Cloud often tests the distinction between DLP's de-identification capabilities and BigQuery's native encryption or auditing features, so candidates mistakenly select options like auditing or CMEK because they associate them with data protection, but DLP does not handle those functions.

3
MCQhard

A large enterprise is using Cloud Data Loss Prevention (DLP) to inspect a Cloud Storage bucket containing millions of files for sensitive data like credit card numbers and health information. The DLP inspection job is configured to scan the entire bucket with a schedule. Recently, the job has been failing with a 'Quota exceeded' error for the DLP inspect requests quota. The team needs to continue inspecting all files without increasing the quota limit, as the quota increase request would take weeks. They cannot skip any files due to compliance requirements. What should they do to work around the quota limit while inspecting all files?

A.Switch from file store inspection to content inspection (items) and send each file individually via the API to bypass the file-level quota.
B.Create de-identification templates to automatically redact the found sensitive data, which reduces the need for inspection.
C.Submit a quota increase request and pause the inspection job until the increase is approved.
D.Reconfigure the DLP job to use a smaller sampling size (e.g., 'bytesLimitPerFile' or 'filesLimitPercent') to stay within quota limits, and schedule more frequent runs to cover all files over time.
AnswerD

Sampling reduces per-job usage, and more frequent runs ensure eventual full coverage within quota.

Why this answer

Option D is correct because by reducing the per-job scan volume (e.g., via 'bytesLimitPerFile' or 'filesLimitPercent'), the job stays within the DLP inspect requests quota while still covering all files over multiple scheduled runs. This approach respects the quota ceiling without skipping any files, as the sampling is applied per job execution, not per file permanently. The team can increase the job frequency to ensure the entire bucket is eventually inspected, meeting compliance requirements.

Exam trap

Google Cloud often tests the misconception that reducing per-job sampling means permanently skipping files, but the key is that sampling is per execution, and multiple runs over time can cover all files without exceeding quota.

How to eliminate wrong answers

Option A is wrong because switching to content inspection (items) and sending each file individually via the API would still consume the same or more inspect requests quota per file, and the quota limit applies to API calls as well, not just file store inspection jobs. Option B is wrong because creating de-identification templates does not reduce the need for inspection; de-identification occurs after inspection, and the quota issue is about the inspection step itself, not redaction. Option C is wrong because submitting a quota increase request and pausing the job would leave files uninspected during the weeks-long wait, violating the requirement to continue inspecting all files without skipping any.

4
Multi-Selectmedium

Which TWO actions should a security engineer take to protect sensitive data in Cloud Storage buckets from accidental public exposure? (Choose two.)

Select 2 answers
A.Use Cloud Data Loss Prevention (DLP) to scan buckets for public access.
B.Set the organization policy constraint 'iam.disableBucketPolicyOnlyGrantedByDefault' to enforce uniform bucket-level access across the organization.
C.Configure VPC Service Controls to restrict access to the buckets from within the VPC.
D.Enable uniform bucket-level access on all buckets to disable ACLs.
E.Enable bucket lock on all buckets to prevent deletion of objects.
AnswersB, D

Prevents public ACLs at the org level.

Why this answer

Option B is correct because setting the organization policy constraint 'iam.disableBucketPolicyOnlyGrantedByDefault' enforces uniform bucket-level access across the organization, preventing the use of fine-grained ACLs that can accidentally expose data. This policy ensures that all new buckets default to IAM-based access control, reducing the risk of misconfigured public ACLs.

Exam trap

Google Cloud often tests the distinction between detection tools (like DLP) and preventive controls (like organization policy constraints), leading candidates to mistakenly choose DLP as a protective measure against public exposure.

5
MCQhard

Refer to the exhibit. An auditor notices this log entry. Which of the following is true about this event?

A.The decryption operation was performed on a key version that is disabled.
B.The service account has the Cloud KMS CryptoKey Decrypter role.
C.The decryption operation failed due to insufficient permissions.
D.The service account used is impersonating a user to decrypt data.
AnswerB

A successful decrypt operation implies the service account has the decrypter role.

Why this answer

The log entry indicates a successful decryption operation ("decrypt" action with a success status). For a service account to successfully decrypt data using Cloud KMS, it must have the Cloud KMS CryptoKey Decrypter role (roles/cloudkms.cryptoKeyDecrypter) on the key. The log shows the caller is a service account, and the operation succeeded, confirming it has the necessary permissions.

Option B correctly identifies this.

Exam trap

Google Cloud often tests the distinction between a successful operation and a failure — candidates see 'decrypt' and assume it failed due to permissions, but the log's success status directly proves the service account had the correct role.

How to eliminate wrong answers

Option A is wrong because the log shows the decryption succeeded, and a disabled key version would cause the operation to fail with an error like 'key version disabled' or 'permission denied' — not a success. Option C is wrong because the log entry shows a successful decryption (status is not an error), so insufficient permissions cannot be the case; a failure would be logged with an error code. Option D is wrong because the log does not show any impersonation (e.g., no 'impersonated' field or 'iam.serviceAccounts.signBlob' action); the caller is directly the service account, and impersonation would require additional delegation steps.

6
Drag & Dropmedium

Drag and drop the steps to configure a security scanner to scan a web application in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Security scanning involves configuration, scheduling, execution, review, and remediation verification.

7
Multi-Selecteasy

A security engineer is designing data protection for Cloud Storage. Which TWO methods can be used to enforce encryption at rest for objects? (Choose TWO.)

Select 2 answers
A.Setting a bucket-level default encryption with a CMEK key.
B.Enabling VPC Service Controls.
C.Applying a retention policy.
D.Using a bucket policy that requires the x-goog-encryption header for uploads.
E.Using an Organization Policy to enforce CMEK at the project level.
AnswersA, E

This ensures all objects uploaded to the bucket are encrypted with the specified CMEK key.

Why this answer

Option A is correct because setting a bucket-level default encryption with a CMEK (Customer-Managed Encryption Key) ensures that all new objects written to the bucket are encrypted at rest using a key managed by the customer in Cloud KMS. This enforces encryption at rest at the bucket level, meeting the requirement.

Exam trap

Google Cloud often tests the distinction between encryption at rest (server-side) and encryption in transit or client-side encryption, leading candidates to mistakenly choose options like D that enforce client-side headers rather than server-side encryption at rest.

8
MCQhard

Alice has the role roles/storage.objectAdmin on the bucket my-bucket via the IAM policy shown. She is unable to access the object gs://my-bucket/reports/data.csv. What is the most likely reason?

A.The condition restricts access to objects with a prefix 'uploads/', and the requested object is under 'reports/'.
B.The bucket has a retention policy that prevents access to objects older than a certain period.
C.The condition uses the wrong resource attribute; it should be resource.name.startsWith('my-bucket/uploads/').
D.Alice does not have the storage.objects.get permission on the bucket.
AnswerA

The condition resource.name.startsWith('projects/_/buckets/my-bucket/objects/uploads/') only allows access to objects whose path starts with 'uploads/'. The object 'reports/data.csv' does not match.

Why this answer

The IAM policy condition uses the `resource.name.startsWith('my-bucket/uploads/')` condition key, which restricts the `storage.objects.get` permission to objects whose name starts with `uploads/`. The requested object `gs://my-bucket/reports/data.csv` is under the `reports/` prefix, so the condition evaluates to false, denying access. This is the most likely reason Alice cannot access the object.

Exam trap

Google Cloud often tests the nuance that IAM conditions can silently override explicit allow permissions, leading candidates to overlook the condition and incorrectly blame missing permissions or unrelated bucket policies.

How to eliminate wrong answers

Option B is wrong because a retention policy prevents deletion or modification of objects, not read access; it does not block `storage.objects.get`. Option C is wrong because the condition already uses `resource.name.startsWith` correctly; the issue is the prefix value, not the attribute. Option D is wrong because the IAM policy explicitly grants `storage.objects.get` on the bucket, but the condition overrides that grant for objects not matching the prefix.

9
MCQeasy

Your company runs a data analytics platform on Google Cloud that processes sensitive financial data. Data is ingested from various sources into a Cloud Storage bucket, then processed by Dataflow jobs, and final results are stored in BigQuery. You have implemented the following security controls: - VPC Service Controls perimeter around the project - Cloud KMS CMEK for all storage services - IAM conditions restricting access based on tags - Cloud Audit Logs enabled for all services Recently, an auditor discovered that a compromised service account was able to read data from the Cloud Storage bucket even though it was outside the VPC Service Controls perimeter. The auditor reviewed the logs and found that the access came from a Compute Engine instance that was running within the same project. What is the most likely reason the VPC Service Controls perimeter did not block this access?

A.The VPC Service Controls perimeter allows access from resources within the same project, even if they are outside the perimeter.
B.The Cloud KMS key used for encryption was not bound to the perimeter.
C.The Cloud Audit Logs were not enabled for the Cloud Storage bucket, so the access was not logged.
D.The VPC Service Controls perimeter was not configured to include the Cloud Storage bucket.
AnswerA

VPC Service Controls only block access from outside the perimeter; resources within the same project are considered inside and allowed by default.

Why this answer

VPC Service Controls perimeters are designed to prevent data exfiltration by blocking access from networks outside the perimeter, but they explicitly allow access from resources within the same project, even if those resources are not inside the perimeter. In this scenario, the compromised service account was used by a Compute Engine instance running in the same project, so the access was permitted by design. This is a known behavior: VPC Service Controls do not restrict access between resources that share the same Google Cloud project, regardless of whether the requesting resource is inside or outside the perimeter.

Exam trap

The trap here is that candidates assume VPC Service Controls block all cross-resource access within a project, but Cisco tests the specific exception that resources in the same project are always allowed, regardless of perimeter boundaries.

How to eliminate wrong answers

Option B is wrong because Cloud KMS CMEK keys are not bound to VPC Service Controls perimeters; the perimeter controls access at the network layer, not the encryption layer. Option C is wrong because the auditor already reviewed the logs and found the access, so Cloud Audit Logs were clearly enabled and working. Option D is wrong because the Cloud Storage bucket was included in the perimeter (the perimeter was configured around the project, which includes all services in that project), but the access was allowed due to the same-project exception.

10
MCQhard

A company must comply with PCI DSS requirements that mandate the use of a hardware security module (HSM) for key storage. They plan to use Cloud KMS for key management. Which implementation meets compliance?

A.Use Cloud External Key Manager (EKM) with an external HSM.
B.Create a Cloud HSM key ring and use Cloud KMS with protection level 'HSM'.
C.Use Customer-Supplied Encryption Keys (CSEK) stored in an on-premises HSM.
D.Create keys in Cloud KMS using the default software protection level.
AnswerB

Cloud HSM provides HSM-backed key storage in Cloud KMS.

Why this answer

Option B is correct because PCI DSS requires that cryptographic keys be stored in a hardware security module (HSM) to ensure tamper resistance. Cloud HSM provides a FIPS 140-2 Level 3 validated HSM directly integrated with Cloud KMS, allowing you to create keys with the 'HSM' protection level that are generated and stored within the HSM hardware, meeting compliance without managing external infrastructure.

Exam trap

Google Cloud often tests the distinction between using an external HSM (EKM) versus a native Cloud HSM, where candidates mistakenly think that any HSM integration satisfies PCI DSS, but the key is that the keys must be stored and managed within a validated HSM that is directly integrated with the key management service.

How to eliminate wrong answers

Option A is wrong because Cloud External Key Manager (EKM) allows you to use an external HSM for key storage, but it does not store keys within Google Cloud's HSM; instead, it references keys held in your external HSM, which adds operational complexity and may not satisfy PCI DSS requirements if the external HSM is not properly validated or managed. Option C is wrong because Customer-Supplied Encryption Keys (CSEK) are used for encrypting data at rest in Google Cloud Storage, not for key management within Cloud KMS, and storing them in an on-premises HSM does not integrate with Cloud KMS's key management lifecycle or meet PCI DSS requirements for key storage in a validated HSM. Option D is wrong because the default software protection level stores keys in software-based key storage, which does not meet PCI DSS's mandate for hardware-based key storage in an HSM.

11
MCQeasy

A retail company hosts an e-commerce website on Compute Engine behind an HTTPS load balancer. They want to encrypt traffic between the load balancer and backend instances. What should they do?

A.Enable HTTPS only between clients and load balancer; backend traffic uses HTTP.
B.Use an internal HTTPS load balancer and configure SSL certificates on backend services.
C.Apply Cloud Armor policy to enforce TLS between load balancer and backends.
D.Use Cloud VPN to connect load balancer to backend instances.
AnswerB

Internal HTTPS LB can terminate SSL and re-encrypt to backends.

Why this answer

Option B is correct because an internal HTTPS load balancer in Google Cloud can terminate HTTPS from clients and re-encrypt traffic to backend instances using SSL certificates configured on the backend services. This ensures end-to-end encryption between the load balancer and backends, meeting the requirement to encrypt traffic in that segment.

Exam trap

The trap here is that candidates often assume Cloud Armor can enforce TLS encryption, but Cloud Armor only applies security policies (e.g., IP allow/deny, rate limiting) and does not handle SSL/TLS termination or re-encryption between the load balancer and backends.

How to eliminate wrong answers

Option A is wrong because it explicitly leaves backend traffic unencrypted (HTTP), which fails the requirement to encrypt traffic between the load balancer and backend instances. Option C is wrong because Cloud Armor is a web application firewall and DDoS protection service that enforces security policies at the edge, not a mechanism to enforce TLS between the load balancer and backends; it cannot configure SSL/TLS on the backend connection. Option D is wrong because Cloud VPN is used to securely connect on-premises networks or VPCs over the internet, not to encrypt traffic between a load balancer and its backend instances within the same VPC.

12
Multi-Selectmedium

A company is using Cloud Data Loss Prevention (DLP) to inspect and de-identify sensitive data in Cloud Storage. They want to classify data using infoTypes and apply de-identification techniques. Which TWO actions should they take?

Select 2 answers
A.Create custom infoTypes for all sensitive data.
B.Use the DLP API to inspect the storage for sensitive data.
C.Apply de-identification transformations such as masking or tokenization.
D.Store de-identification templates in Cloud KMS.
E.Use VPC Service Controls to restrict access to the data.
AnswersB, C

DLP API can scan and classify data using infoTypes.

Why this answer

Option B is correct because the DLP API's `inspect` method is the primary mechanism to scan Cloud Storage objects for sensitive data patterns defined by infoTypes. Option C is correct because after inspection, de-identification transformations like masking or tokenization are applied via the DLP API's `deidentify` method to redact or replace sensitive content. Together, these two actions form the standard workflow for classifying and protecting data in Cloud Storage using Cloud DLP.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls or Cloud KMS are directly involved in the DLP inspection and de-identification process, when in fact they are separate security services for perimeter control and key management, respectively.

13
Multi-Selecthard

A company is implementing confidential VMs with Shielded VM and data encryption. Which two actions must be taken to ensure data protection for confidential compute workloads?

Select 2 answers
A.Use vTPM for key management.
B.Enable Secure Boot and Measured Boot.
C.Use customer-managed encryption keys (CMEK) for persistent disk encryption.
D.Use a Confidential VM instance with an N2D machine series.
E.Use Cloud HSM to protect the encryption keys for the encrypted memory.
AnswersA, B

vTPM is used for secure key storage and attestation.

Why this answer

Option A is correct because vTPM (virtual Trusted Platform Module) provides hardware-based key management for confidential VMs, enabling secure generation, storage, and attestation of encryption keys used for memory encryption and disk encryption. This ensures that only authorized code can access the keys, protecting data at rest and in use.

Exam trap

Google Cloud often tests the distinction between data-at-rest encryption (CMEK, Cloud HSM) and data-in-use protection (confidential VMs with vTPM and Secure Boot), leading candidates to mistakenly select C or E for memory encryption.

14
MCQhard

A healthcare organization stores PHI in BigQuery tables with row-level access policies. They need to ensure that data is automatically de-identified when exported to Cloud Storage for analytics. What is the most scalable solution with minimal manual intervention?

A.Set up VPC Service Controls to prevent data exfiltration and rely on access controls.
B.Create a scheduled query in BigQuery that exports data using a view with de-identification functions.
C.Use Cloud DLP API to scan and de-identify the export file after it is written to Cloud Storage.
D.Use BigQuery data masking to define de-identification policies, then export the masked data directly.
AnswerD

Dynamic data masking applies policies at query time, automatically de-identifying exports.

Why this answer

Option D is correct because BigQuery data masking allows you to define column-level de-identification policies that are applied automatically at query time. When you export the masked data directly using an export job, the de-identification is enforced without additional scripting or post-processing, making it the most scalable and low-maintenance solution for PHI protection.

Exam trap

Google Cloud often tests the distinction between access control (VPC Service Controls) and data de-identification, leading candidates to choose network-level solutions (Option A) when the requirement is specifically about transforming the data content.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls prevent data exfiltration at the network perimeter but do not de-identify the data itself; the exported PHI would remain fully readable. Option B is wrong because scheduled queries that export via a view with de-identification functions require manual creation and maintenance of the view and the schedule, and the de-identification logic must be re-applied if the schema changes, increasing operational overhead. Option C is wrong because scanning and de-identifying the file after it is written to Cloud Storage introduces a window where raw PHI exists in the bucket, and it requires an additional DLP job that must be triggered and managed, reducing scalability and increasing latency.

15
MCQhard

A company uses Cloud KMS to protect encryption keys for various applications. They need to ensure that keys are automatically rotated every 90 days and that the rotation does not require re-encrypting all data. Which key type and rotation strategy should they use?

A.Use a symmetric key with automatic rotation period set to 90 days.
B.Use an asymmetric key and set the rotation period to 90 days.
C.Use an asymmetric key and manually create a new version every 90 days.
D.Use a symmetric key and manually create a new version every 90 days.
AnswerA

Symmetric keys support automatic rotation, and old versions remain for decryption.

Why this answer

Symmetric keys are used for encryption/decryption of data at rest, and Cloud KMS supports automatic key rotation by creating a new key version at a specified interval (e.g., 90 days). Because Cloud KMS uses key versions and the key material is never exposed, existing ciphertext remains decryptable using the old key version, so no re-encryption is required. This meets the requirement for automatic rotation without data re-encryption.

Exam trap

Google Cloud often tests the misconception that automatic rotation requires re-encrypting data, or that asymmetric keys are suitable for bulk encryption, leading candidates to choose manual rotation or asymmetric key options.

How to eliminate wrong answers

Option B is wrong because asymmetric keys are typically used for digital signatures or key exchange, not for bulk data encryption, and automatic rotation of asymmetric keys would require re-encrypting data or re-signing. Option C is wrong because manual creation of a new version every 90 days does not satisfy the requirement for automatic rotation, and asymmetric keys still do not avoid re-encryption for data encryption use cases. Option D is wrong because manual creation of a new version every 90 days is not automatic rotation; the requirement explicitly states 'automatically rotated'.

16
MCQeasy

A financial institution wants to encrypt data in Cloud Storage using keys that they rotate monthly through Cloud KMS. Which key management option should they use?

A.Customer-Managed Encryption Keys (CMEK)
B.Google-managed encryption keys
C.Default encryption at rest
D.Customer-Supplied Encryption Keys (CSEK)
AnswerA

CMEK allows full control via Cloud KMS, including rotation.

Why this answer

Option A is correct: CMEK allows customers to manage and rotate keys in Cloud KMS. Option B (CSEK) requires customer-supplied keys per request and does not support rotation. Option C (Google-managed) does not allow customer rotation.

Option D (default) is Google-managed.

17
MCQeasy

An organization uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically remove credit card numbers before the data is accessed by analysts but still allow the raw data for auditing purposes. Which DLP technique should they use?

A.De-identification transform with masking
B.Re-identification transform with tokenization
C.De-identification transform with redact
D.De-identification transform with replacement
AnswerC

Redact completely removes the sensitive data from the output.

Why this answer

Option C is correct because the 'De-identification transform with redact' completely removes sensitive data (like credit card numbers) from the output, ensuring analysts never see the raw values while the original data remains intact in the source BigQuery table for auditing. This aligns with the requirement to automatically strip sensitive content before access, without altering the stored data.

Exam trap

Google Cloud often tests the distinction between 'redact' (complete removal) and 'masking' or 'replacement' (partial or substituted data), trapping candidates who confuse removal with obfuscation or who incorrectly think tokenization is a re-identification technique.

How to eliminate wrong answers

Option A is wrong because masking (e.g., showing only the last four digits) still exposes partial sensitive data, which violates the requirement to remove credit card numbers entirely from analyst access. Option B is wrong because re-identification transforms are not a DLP technique; tokenization is a de-identification method that replaces sensitive data with a token, but the question demands removal, not reversible replacement, and 're-identification' implies restoring the original, which is the opposite of the goal. Option D is wrong because replacement (e.g., substituting with a static value like 'REDACTED') still leaves a placeholder that could be confused with real data or inadvertently expose patterns, whereas redact completely omits the field or value, providing stricter removal.

18
MCQmedium

A company uses Cloud Functions to process employee data and wants to ensure that personally identifiable information (PII) is redacted from log output. Which approach should they take?

A.Use Cloud Audit Logs to capture all access and redact at analysis.
B.Use Cloud DLP API to inspect and redact the log message before writing to Cloud Logging.
C.Create a Logging sink with an exclusion filter to drop logs containing PII.
D.Enable VPC Service Controls to prevent PII from leaving the VPC.
AnswerB

DLP can de-identify text in application logic.

Why this answer

Option B is correct because the Cloud DLP API can be integrated directly into a Cloud Function to inspect and redact PII from log messages before they are written to Cloud Logging. This ensures that sensitive data never appears in the logs, which is the most secure approach. Using Cloud DLP at the point of log generation prevents any exposure, rather than relying on post-hoc analysis or filtering.

Exam trap

Google Cloud often tests the distinction between reactive filtering (exclusion sinks) and proactive redaction (DLP API), and the trap here is that candidates mistakenly believe a Logging sink can redact data when it can only drop entire log entries, not modify their content.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs capture access events but do not provide a mechanism to redact PII from the log output; redaction would require a separate analysis step, which does not prevent PII from being stored in logs. Option C is wrong because a Logging sink with an exclusion filter drops entire log entries containing PII, but this is a reactive approach that still allows PII to be written to Cloud Logging before the filter is applied, and it may also drop legitimate logs that happen to contain PII. Option D is wrong because VPC Service Controls control data exfiltration at the network perimeter but do not inspect or redact log content; they cannot prevent PII from appearing in logs generated within the VPC.

19
MCQhard

A large enterprise runs analytics workloads on BigQuery containing sensitive financial data. They have implemented VPC Service Controls (VPC SC) to create a perimeter around the BigQuery dataset, allowing access only from a specific VPC network. Despite this, security auditors discovered that data was accessed from an IP address outside the perimeter. After investigation, they found the access originated from a user's personal laptop using the Google Cloud Console. The company's security policy requires that sensitive data can only be accessed from corporate-managed devices. What should they do to prevent this type of access?

A.Enable Cloud Data Loss Prevention (DLP) to automatically redact sensitive data before it is displayed in the console.
B.Reconfigure the VPC Service perimeter to use a more restrictive set of allowed IP ranges.
C.Activate Access Transparency logs and create a log-based alert to notify security of anomalous access.
D.Add a context-aware access level to the VPC Service perimeter that requires a corporate device policy (e.g., OS version, disk encryption).
AnswerD

This enforces device trust, blocking access from non-corporate devices while still respecting the VPC SC perimeter.

Why this answer

Option D is correct because VPC Service Controls can integrate with Access Context Manager to enforce context-aware access levels. By adding a level that requires a corporate device policy (e.g., verified OS version, disk encryption status), access from unmanaged personal laptops is blocked at the perimeter boundary, even if the user is authenticated. This directly addresses the security policy requirement that sensitive data must only be accessible from corporate-managed devices.

Exam trap

The trap here is that candidates confuse logging/monitoring (Option C) or data masking (Option A) with preventive access control, or they assume IP-based restrictions (Option B) are sufficient when the real requirement is device identity enforcement.

How to eliminate wrong answers

Option A is wrong because Cloud DLP redacts or masks sensitive data in the dataset itself, but it does not prevent access from unauthorized devices or IPs; the data is still accessible from the personal laptop, just with redacted content, which violates the security policy. Option B is wrong because reconfiguring the VPC Service perimeter to use a more restrictive set of allowed IP ranges would not block access from a personal laptop if the laptop is using a corporate VPN or if the user is accessing via the Google Cloud Console from an IP that falls within the allowed range; the issue is device identity, not IP address. Option C is wrong because Access Transparency logs and log-based alerts only provide visibility into access events after they occur; they do not prevent the access from happening in the first place, which is the requirement.

20
MCQmedium

A company uses BigQuery to store analytics data. They need to restrict access to specific rows based on the user's department. What should they implement?

A.Column-level security
B.Row-level security using authorized views
C.Data Catalog tags
D.IAM conditions on BigQuery datasets
AnswerB

Authorized views can include row-level filters, such as filtering by the user's department.

Why this answer

Authorized views in BigQuery can filter rows based on the user's identity or other context. Column-level security is for columns, not rows. IAM conditions cannot restrict rows.

Data Catalog is for metadata.

21
MCQhard

A company has a Cloud Storage bucket containing sensitive data. They want to ensure that only users with specific IAM roles can access the bucket, and that access is logged for audit purposes. They also want to prevent public access. Which configuration steps should they take?

A.Use IAM roles only and enable Cloud Audit Logs, but keep ACLs enabled.
B.Use VPC Service Controls and enable Cloud Audit Logs.
C.Enable uniform bucket-level access, set IAM policies, and enable Cloud Audit Logs.
D.Enable fine-grained access using ACLs and enable Cloud Audit Logs.
AnswerC

Uniform bucket-level access disables ACLs and relies solely on IAM, and audit logs track access.

Why this answer

Option C is correct because enabling uniform bucket-level access disables ACLs, forcing all access decisions to be made by IAM policies alone, which simplifies permission management and prevents public access. Setting IAM policies ensures only users with specific roles can access the bucket, and enabling Cloud Audit Logs captures all access requests for audit purposes. This combination meets all requirements: no public access, role-based access control, and logging.

Exam trap

Google Cloud often tests the misconception that ACLs are still needed for granular control, but uniform bucket-level access combined with IAM is the modern, secure approach that prevents public access and simplifies auditing.

How to eliminate wrong answers

Option A is wrong because keeping ACLs enabled alongside IAM roles can allow public access if ACLs grant allUsers or allAuthenticatedUsers permissions, and ACLs can override IAM policies, creating a security gap. Option B is wrong because VPC Service Controls restrict data exfiltration and access based on VPC context but do not directly control bucket-level IAM permissions or prevent public access via ACLs; they are a perimeter security control, not a substitute for IAM and uniform access. Option D is wrong because fine-grained ACLs can inadvertently allow public access (e.g., via allUsers) and are harder to audit consistently; uniform bucket-level access is the recommended approach for sensitive data.

22
MCQeasy

Refer to the exhibit. A security engineer runs the following command to check encryption settings on a Cloud Storage bucket. What does the output indicate about encryption?

A.The bucket uses customer-supplied encryption keys (CSEK).
B.The bucket has no default encryption.
C.The bucket uses Google-managed encryption keys.
D.The bucket uses a customer-managed encryption key (CMEK).
AnswerD

The key path shows a CMEK key.

Why this answer

The output shows `default_kms_key_name` is set to a Cloud KMS key resource name (e.g., `projects/<project>/locations/<location>/keyRings/<keyring>/cryptoKeys/<key>`), which indicates the bucket uses a customer-managed encryption key (CMEK). CMEK allows you to control and manage the key via Cloud KMS, while Google manages the underlying encryption operations.

Exam trap

Google Cloud often tests the distinction between default encryption (CMEK or GMEK) and per-object encryption (CSEK), trapping candidates who confuse a configured default KMS key with the absence of encryption or with customer-supplied keys.

How to eliminate wrong answers

Option A is wrong because customer-supplied encryption keys (CSEK) are provided per-object in the request header, not configured as a default on the bucket; the output shows a default KMS key, not per-object key supply. Option B is wrong because the presence of `default_kms_key_name` explicitly indicates a default encryption configuration is set, not absent. Option C is wrong because Google-managed encryption keys (GMEK) are the default when no `default_kms_key_name` is specified; the output shows a KMS key name, meaning the bucket is not using GMEK.

23
Multi-Selecthard

Which three actions help protect Cloud KMS key material? (Choose three.)

Select 3 answers
A.Store the key in an HSM cluster.
B.Use VPC Service Controls to restrict access to the key.
C.Assign the Cloud KMS Admin role to all developers.
D.Enable automatic key rotation.
E.Enable Cloud Audit Logs for key operations.
AnswersB, D, E

VPC SC prevents data exfiltration and restricts access to the key.

Why this answer

B is correct because VPC Service Controls create a security perimeter around Cloud KMS resources, preventing data exfiltration by restricting access to the key material from unauthorized networks or projects. This helps protect the key material even if an attacker gains credentials to the key, as the request must originate from within the allowed VPC scope.

Exam trap

Google Cloud often tests the misconception that hardware security modules (HSMs) alone provide complete protection for key material, but the trap here is that HSMs secure key storage, not access control or perimeter security, which are addressed by VPC Service Controls and audit logging.

24
MCQmedium

A company runs a containerized application on Google Kubernetes Engine (GKE) that reads from a Cloud Storage bucket encrypted with a customer-managed key (CMEK) in Cloud KMS. The application uses a dedicated Google service account with the roles/storage.objectViewer role and a Cloud KMS CryptoKey Decrypter binding on the key. After a scheduled key rotation, the application started receiving '403 Access Denied' errors when accessing objects. The Cloud KMS key has multiple versions. The service account's IAM permissions have not changed. What is the most likely cause and the appropriate fix?

A.In Cloud KMS, enable the new key version and ensure it is set as primary.
B.Create a new key ring and migrate the service account to use a new key.
C.Disable the old key version and re-encrypt all objects with the new key version.
D.Ensure the service account has the 'Cloud KMS CryptoKey Decrypter' role on the key, which applies to all key versions, including the old version used for encryption.
AnswerD

The role on the key grants access to all versions; if it was previously granted only on a specific version, the old version may have lost access during rotation.

Why this answer

The correct answer is D. In Cloud KMS, IAM permissions are evaluated at the key level, not per key version. When a key is rotated, the new primary version is automatically enabled, but the old version remains active for decrypting data encrypted with it.

The service account already has the 'Cloud KMS CryptoKey Decrypter' role on the key, which grants permission to decrypt with any version of that key. The 403 error likely occurred because the application's client library or configuration was explicitly referencing the old key version ID, which may have been disabled or is no longer primary, but the IAM binding on the key itself is sufficient. The fix is to ensure the service account has the role on the key (which it does) and that the application uses the key resource name (not a specific version) to allow automatic use of the correct version.

Exam trap

Google Cloud often tests the misconception that key rotation requires updating IAM permissions or that old key versions become unusable, when in fact IAM bindings on the key cover all versions and old versions remain active for decryption unless explicitly disabled.

How to eliminate wrong answers

Option A is wrong because enabling a new key version and setting it as primary does not fix a permission issue; the new version is already enabled by default upon rotation, and the problem is not about version availability but about how the application references the key. Option B is wrong because creating a new key ring and migrating the service account is unnecessary and disruptive; the existing key ring and key are still valid, and the service account's permissions on the key are unchanged. Option C is wrong because disabling the old key version would break decryption of objects still encrypted with that version, and re-encrypting all objects is an extreme, unnecessary step that does not address the root cause of the 403 error, which is a permission or configuration issue, not a key version mismatch.

25
Multi-Selecthard

An organization wants to ensure that only compute instances in a specific VPC can access a Cloud Storage bucket. They also want to prevent the bucket data from being downloaded to an external IP. Which TWO services should they combine? (Choose TWO.)

Select 2 answers
A.IAM conditions restricting access by VPC network
B.Cloud NAT
C.Cloud VPN
D.Private Google Access
E.VPC Service Controls
AnswersA, E

IAM conditions can use the `request.network` attribute to allow access only from a specific VPC network.

Why this answer

IAM conditions allow you to restrict access to a Cloud Storage bucket based on the requester's VPC network, ensuring only compute instances in that specific VPC can access the bucket. VPC Service Controls create a security perimeter around the bucket, preventing data exfiltration to external IPs by blocking unauthorized network paths. Together, they enforce both network-level access restriction and data download prevention.

Exam trap

Google Cloud often tests the misconception that Private Google Access alone can restrict access to a specific VPC, but it only enables connectivity without any access control or exfiltration prevention.

26
MCQmedium

A company uses VPC Service Controls to protect data in BigQuery and Cloud Storage. They need to allow a third-party application running outside the service perimeter to query BigQuery datasets within the perimeter. What should they configure?

A.Use private Google Access with a VPC network to allow the third-party.
B.Grant the third-party project access to the perimeter via an access level.
C.Create a service perimeter bridge between the third-party project and the protected project.
D.Set up a VPC peering connection between the third-party VPC and the VPC hosting the resources.
AnswerB

Access levels can be used to allow ingress from external identities or IPs.

Why this answer

Option B is correct because VPC Service Controls use access levels to define which client identities, IP addresses, or device characteristics are allowed to access protected resources from outside the service perimeter. By configuring an access level that includes the third-party application's project or IP range, the company can grant explicit, policy-based access to BigQuery datasets without removing the perimeter's data exfiltration protections.

Exam trap

The trap here is that candidates confuse VPC peering or Private Google Access with VPC Service Controls, assuming network-level connectivity is sufficient to bypass API-level perimeter enforcement, when in fact only access levels or perimeter membership can grant external access.

How to eliminate wrong answers

Option A is wrong because Private Google Access enables on-premises or VM instances to reach Google APIs via internal IPs, but it does not bypass VPC Service Controls; the third-party application still needs an access level to be allowed through the perimeter. Option C is wrong because a service perimeter bridge connects two perimeters to allow controlled resource sharing between them, but the third-party application is outside any perimeter, so a bridge does not apply. Option D is wrong because VPC peering connects two VPC networks for private IP communication, but it does not grant access to BigQuery datasets protected by VPC Service Controls, which operate at the API layer and require access levels or perimeter membership.

27
MCQeasy

A security engineer needs to audit all attempts to access a Cloud Storage bucket, including successful and failed attempts. Which logging option should they enable?

A.Cloud Audit Logs with Data Access
B.Cloud Audit Logs with Admin Read
C.Cloud Monitoring with uptime checks
D.VPC Flow Logs
AnswerA

Data Access logs record all read and write operations on objects, including successful and failed attempts.

Why this answer

Cloud Audit Logs with Data Access logs capture read/write operations on data. Admin Read logs only record configuration changes, not data access. Cloud Monitoring is for metrics, not logs.

VPC Flow Logs are for network traffic, not object-level access.

28
MCQhard

A company uses Cloud Storage with CMEK. The Cloud KMS key is disabled accidentally by an administrator. What will happen to existing objects encrypted with that key?

A.Objects are automatically re-encrypted with Google-managed keys.
B.Objects become inaccessible immediately.
C.Objects remain accessible until the key is destroyed.
D.Objects become inaccessible after a 24-hour grace period.
AnswerB

Disabling the key immediately prevents decryption of any object encrypted with that key.

Why this answer

When a Cloud KMS key used for CMEK is disabled, Cloud Storage immediately loses the ability to decrypt the encrypted object data and its associated metadata. Without the key, the service cannot serve the object, making it inaccessible for read, write, or delete operations until the key is re-enabled. This is because CMEK objects are encrypted at rest using the customer-managed key, and Cloud Storage does not maintain a cached copy of the key material.

Exam trap

Google Cloud often tests the misconception that disabling a CMEK key has a grace period or that Google will automatically fall back to Google-managed keys, but the correct behavior is immediate inaccessibility with no automatic recovery or re-encryption.

How to eliminate wrong answers

Option A is wrong because Cloud Storage does not automatically re-encrypt CMEK objects with Google-managed keys when the CMEK key is disabled; re-encryption would require explicit action and a new key version. Option C is wrong because objects remain accessible only as long as the key is enabled; disabling the key immediately blocks access, not just when the key is destroyed. Option D is wrong because there is no 24-hour grace period; access is revoked immediately upon key disablement, as the key is required for decryption on every request.

29
Multi-Selecteasy

Which two Cloud Storage encryption options allow the customer to supply or manage the encryption keys? (Choose two.)

Select 2 answers
A.Default encryption at rest
B.Google-managed encryption keys
C.Cloud HSM keys
D.Customer-Supplied Encryption Keys (CSEK)
E.Customer-Managed Encryption Keys (CMEK)
AnswersD, E

Customer supplies the key material directly.

Why this answer

Customer-Supplied Encryption Keys (CSEK) allow you to supply your own encryption keys for protecting data at rest in Cloud Storage. With CSEK, you provide the key material for each API call, and Google does not store the key on its servers. This option is correct because the customer directly supplies the encryption key.

Exam trap

Google Cloud often tests the distinction between 'supplying' the key (CSEK) versus 'managing' a key that Google generates (CMEK), causing candidates to mistakenly think Cloud HSM keys (which are a CMEK implementation) count as customer-supplied.

30
MCQeasy

Refer to the exhibit. A security engineer sees this configuration for a Cloud Storage bucket. What does this indicate about the encryption of objects in this bucket?

A.Objects are encrypted with Google-managed keys, and the key name is the default.
B.Objects are encrypted with a customer-supplied key (CSEK).
C.Objects are encrypted with an external key from an on-premises HSM.
D.Objects are encrypted with a customer-managed key (CMEK) from Cloud KMS.
AnswerD

The `defaultKmsKeyName` field indicates CMEK.

Why this answer

Option D is correct because the exhibit shows `kmsKeyName` set to a Cloud KMS key resource name (e.g., `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME`). This indicates the bucket is configured with a customer-managed encryption key (CMEK) from Cloud Key Management Service (Cloud KMS), meaning Google uses the specified key to encrypt/decrypt objects, and the customer controls key rotation and access via IAM.

Exam trap

Google Cloud often tests the distinction between CMEK (persistent key reference in bucket config) and CSEK (per-request key, no stored reference), so candidates mistakenly pick CSEK when they see any mention of a custom key, ignoring that the `kmsKeyName` field is a persistent Cloud KMS resource identifier.

How to eliminate wrong answers

Option A is wrong because Google-managed keys are the default encryption (no `kmsKeyName` field is set), but the exhibit explicitly shows a `kmsKeyName` value, so it is not the default. Option B is wrong because customer-supplied encryption keys (CSEK) are provided per API call and are never stored or referenced by a persistent `kmsKeyName` in the bucket configuration; CSEK uses a different header (`x-goog-encryption-key`). Option C is wrong because external keys from an on-premises HSM are not directly supported by Cloud Storage; Cloud Storage only supports CMEK via Cloud KMS (which can use Cloud HSM as a key source, but the key is still managed in Cloud KMS, not an external on-premises HSM).

31
MCQmedium

A financial services company uses Cloud Storage to store sensitive customer data. They want to encrypt this data at rest using customer-managed encryption keys (CMEK) and automate key rotation every 90 days. Which approach should they take?

A.Rely on Google-managed encryption keys (default Cloud Storage encryption) and enable key rotation logs for auditing.
B.Create a Cloud KMS key ring and a key with rotation period 90 days. Use the key as CMEK for the Cloud Storage bucket.
C.Configure Cloud External Key Manager (EKM) to manage the encryption key externally and have Cloud Storage use it via CMEK integration.
D.Use customer-supplied encryption keys (CSEK) and implement a custom Cloud Function to rotate keys every 90 days.
AnswerB

This uses Cloud KMS with automatic rotation, meeting the customer-managed and rotation requirements.

Why this answer

Option B is correct because Cloud KMS allows you to create a key ring and a key with a defined rotation period of 90 days, which can then be used as a customer-managed encryption key (CMEK) for a Cloud Storage bucket. This satisfies the requirement for customer-controlled key management and automated rotation without custom code.

Exam trap

Google Cloud often tests the distinction between CMEK (customer-managed keys in Cloud KMS with automated rotation) and CSEK (customer-supplied keys per request, no rotation support), leading candidates to mistakenly choose D for its perceived control without recognizing the operational overhead and lack of native rotation.

How to eliminate wrong answers

Option A is wrong because Google-managed encryption keys do not provide customer control over key rotation or auditing of key usage; they are fully managed by Google and cannot be rotated on a custom schedule. Option C is wrong because Cloud External Key Manager (EKM) is designed for keys managed outside Google Cloud, but the question specifies customer-managed keys within Google Cloud, and EKM does not support automated rotation via Cloud KMS policies. Option D is wrong because customer-supplied encryption keys (CSEK) require the customer to provide the key on every API call and do not support automated rotation; implementing a custom Cloud Function for rotation would be complex and error-prone, and CSEK is not integrated with Cloud KMS rotation schedules.

32
MCQeasy

A company is using Cloud SQL for MySQL to store financial data. They need to ensure that all data is encrypted at rest and in transit. What should they do?

A.Use client-side encryption before storing data in Cloud SQL.
B.Enable encryption at rest by checking a box in the Cloud Console.
C.Enable CMEK on the Cloud SQL instance and configure SSL/TLS.
D.Use the default encryption provided by Cloud SQL and enforce SSL/TLS connections.
AnswerD

Cloud SQL encrypts data at rest by default and supports SSL/TLS for in-transit encryption.

Why this answer

Option D is correct because Cloud SQL for MySQL automatically encrypts data at rest using AES-256, with no additional configuration required. To protect data in transit, you must enforce SSL/TLS connections by configuring the instance to require SSL and downloading the server certificate for client connections. This combination satisfies both encryption requirements without unnecessary complexity.

Exam trap

Google Cloud often tests the misconception that encryption at rest requires manual enablement or CMEK, when in fact Cloud SQL encrypts all data at rest by default, and the key decision is whether to enforce SSL/TLS for data in transit.

How to eliminate wrong answers

Option A is wrong because client-side encryption is not necessary; Cloud SQL already provides encryption at rest, and client-side encryption would add unnecessary overhead and complexity without improving security. Option B is wrong because encryption at rest is enabled by default in Cloud SQL; there is no checkbox to enable it, and this option ignores the requirement for encryption in transit. Option C is wrong because CMEK (Customer-Managed Encryption Keys) is an optional feature for encryption at rest, not a requirement; the default encryption already meets the need, and while configuring SSL/TLS is correct, CMEK is not needed and adds key management overhead.

33
MCQeasy

A company stores sensitive customer data in Cloud Storage. They want to ensure that only users with explicit IAM permissions can decrypt the data, and that Google does not have access to the encryption keys. Which encryption option should they use?

A.Customer-managed encryption keys (CMEK)
B.Google-managed encryption keys (GMEK)
C.Default encryption
D.Customer-supplied encryption keys (CSEK)
AnswerD

CSEK keys are not stored by Google; the customer supplies their own keys, and Google does not have access to them.

Why this answer

Customer-supplied encryption keys (CSEK) allow you to provide your own encryption keys, which are used to protect data at rest in Cloud Storage. Google does not store these keys on its servers; they are used only transiently during encryption/decryption operations and then discarded, ensuring that Google cannot access the keys or the decrypted data. This meets the requirement that only users with explicit IAM permissions can decrypt the data, as access to the CSEK must be granted through IAM roles like Storage Object Viewer with the CSEK key.

Exam trap

Google Cloud often tests the distinction between CMEK and CSEK, where candidates confuse 'customer-managed' (CMEK, stored in KMS) with 'customer-supplied' (CSEK, not stored by Google), leading them to incorrectly choose CMEK when the requirement is that Google has no access to the keys.

How to eliminate wrong answers

Option A is wrong because Customer-managed encryption keys (CMEK) are stored and managed in Cloud Key Management Service (KMS), and while you control the key, Google still has access to the key material in KMS, so Google could theoretically decrypt the data. Option B is wrong because Google-managed encryption keys (GMEK) are fully managed by Google, meaning Google has access to the keys and can decrypt the data at any time. Option C is wrong because Default encryption uses Google-managed keys (GMEK) by default, so Google has access to the encryption keys and can decrypt the data.

34
Multi-Selectmedium

Which TWO options are required to use Cloud DLP to successfully inspect data in a Cloud Storage bucket?

Select 2 answers
A.A service account with roles/storage.objectViewer to read the bucket.
B.A Cloud Function to send each file to the DLP API.
C.The bucket must be in the same project as the DLP job.
D.A Pub/Sub topic to receive inspection results.
E.The bucket must contain only text-based files (e.g., CSV, JSON).
AnswersA, E

DLP needs permission to access the objects.

Why this answer

Option A is correct because Cloud DLP requires read access to the Cloud Storage bucket to inspect objects. The service account used by the DLP job must have the roles/storage.objectViewer IAM role, which grants permission to list and read objects without needing to download them. This ensures the DLP API can access the data for content inspection.

Exam trap

Google Cloud often tests the misconception that Cloud DLP requires additional infrastructure like Cloud Functions or Pub/Sub to inspect Cloud Storage, when in fact DLP can directly access buckets with the correct IAM permissions.

35
MCQeasy

A developer accidentally committed a file containing a service account key to a public GitHub repository. Which action should be taken immediately to invalidate the compromised key?

A.Disable the service account key using IAM.
B.Delete the service account and create a new one.
C.Use Cloud DLP to find and redact the key.
D.Rotate the key using Cloud KMS.
AnswerA

Disabling the key immediately renders it unusable.

Why this answer

Option A is correct because immediately disabling the service account key using IAM (Identity and Access Management) is the fastest way to revoke the compromised credential's access to Google Cloud resources. Disabling the key prevents any further use of that key for authentication, even if it is still present in the public repository. This action does not affect other keys or the service account itself, allowing the developer to later rotate or delete the key without disrupting existing workloads.

Exam trap

Google Cloud often tests the distinction between 'disabling' a key (immediate revocation without side effects) and 'deleting' the service account (overly destructive), and candidates may confuse Cloud KMS (for encryption keys) with IAM (for service account keys).

How to eliminate wrong answers

Option B is wrong because deleting the entire service account would disrupt all workloads and resources that depend on that service account, including other valid keys and IAM bindings, which is an unnecessarily destructive action. Option C is wrong because Cloud DLP is a data loss prevention service used for inspecting and redacting sensitive data in content, but it cannot invalidate or revoke a key that has already been exposed; it only helps find and mask the key in the repository, not stop its use. Option D is wrong because Cloud KMS (Key Management Service) is used for managing encryption keys, not service account keys; rotating a key in Cloud KMS has no effect on a service account's JSON key file, which is a different type of credential.

36
MCQhard

A security team has a Cloud KMS key used for encrypting Cloud Storage objects. They need to ensure that when the key is rotated, old data remains decryptable without manual re-encryption. They also want to minimize the number of key versions. Which approach should they take?

A.Use automatic rotation and disable previous key versions after 30 days.
B.Use automatic rotation and keep one previous key version indefinitely.
C.Use manual rotation and delete old key versions after confirmation that all data has been re-encrypted.
D.Use symmetric key with purpose SYMMETRIC_ENCRYPT_DECRYPT and set rotation period to 0 (never).
AnswerB

This ensures old data remains decryptable and minimizes versions.

Why this answer

Option B is correct because Cloud KMS supports automatic key rotation while retaining previous key versions indefinitely. When a key is rotated, new data is encrypted with the latest version, but old data remains decryptable using the previous key version that is kept. This satisfies the requirement of minimizing manual intervention and key version count, as only one previous version is retained.

Exam trap

Google Cloud often tests the misconception that disabling or deleting old key versions is necessary for security, but the correct approach is to retain previous versions to ensure old data remains decryptable without manual re-encryption.

How to eliminate wrong answers

Option A is wrong because disabling previous key versions after 30 days would render old data undecryptable unless it has been re-encrypted, which contradicts the requirement to avoid manual re-encryption. Option C is wrong because manual rotation and deleting old key versions after re-encryption requires manual effort and does not minimize key versions; it also risks data loss if re-encryption is incomplete. Option D is wrong because setting a rotation period to 0 (never) means the key is never rotated, which fails the requirement to rotate keys and does not provide a mechanism to keep old data decryptable after rotation.

37
MCQhard

A security engineer needs to configure Cloud KMS key rotation so that existing ciphertext can still be decrypted with old key versions, but new encryption uses the latest version. Which key management practice meets this requirement?

A.Set a rotation period on the key; Cloud KMS automatically creates new versions while old versions remain available for decryption.
B.Use a single key and manually update its material every 90 days.
C.Create a new key version manually and disable the previous version after a grace period.
D.Create a new key every rotation and delete the old key after confirming re-encryption.
AnswerA

Cloud KMS key rotation creates new versions; old versions stay enabled for decryption.

Why this answer

Option A is correct because Cloud KMS supports key rotation by creating new key versions while retaining all previous versions. When you set a rotation period, Cloud KMS automatically generates a new version at the specified interval, and the key's primary version (used for new encryption) is updated. Old key versions remain enabled and available for decryption of existing ciphertext, ensuring that data encrypted with older versions can still be decrypted without manual intervention.

Exam trap

Google Cloud often tests the misconception that key rotation requires manual management or that old key versions must be disabled or deleted to enforce security, but the correct practice is to retain old versions for decryption while using the latest version for new encryption.

How to eliminate wrong answers

Option B is wrong because manually updating the key material every 90 days does not create separate key versions; it replaces the existing key material, which would break the ability to decrypt ciphertext encrypted with the previous material. Option C is wrong because disabling the previous key version after a grace period would prevent decryption of any ciphertext encrypted with that version, violating the requirement that old ciphertext remains decryptable. Option D is wrong because deleting the old key after re-encryption is not a rotation practice; it requires manual re-encryption of all data and introduces risk of data loss if re-encryption is incomplete, and it does not leverage Cloud KMS's built-in versioning for seamless decryption of old ciphertext.

38
MCQmedium

Refer to the exhibit. A security engineer runs this command to check bucket permissions. What is the most significant security issue?

A.The domain example.com has viewer access, which may be too broad.
B.The legacy role 'roles/storage.legacyBucketReader' is used.
C.The bucket allows public read access via 'allUsers' in both ACL and legacy role.
D.Uniform bucket-level access is disabled, allowing ACLs.
AnswerC

AllUsers gives access to anyone on the internet.

Why this answer

Option C is correct because the command output shows that the bucket has both an ACL granting 'allUsers' READER access and a legacy bucket role 'roles/storage.legacyBucketReader' assigned to 'allUsers'. This means the bucket is publicly readable via two independent mechanisms, which is the most significant security issue as it exposes all objects to the internet without authentication.

Exam trap

Google Cloud often tests the distinction between a legacy role being used (which is not inherently insecure) versus that role being granted to 'allUsers' (which creates public access), causing candidates to incorrectly select Option B because they focus on the role name rather than the principal it is assigned to.

How to eliminate wrong answers

Option A is wrong because the domain example.com having viewer access is not inherently a security issue; it is a specific domain restriction that limits access to authenticated users from that domain, which is more restrictive than public access. Option B is wrong because the legacy role 'roles/storage.legacyBucketReader' is not a security issue by itself; it is a valid role that provides read access to bucket metadata, and the problem is that it is granted to 'allUsers', not the role's existence. Option D is wrong because uniform bucket-level access being disabled is a configuration choice that allows ACLs, but it is not the most significant security issue; the actual exposure comes from the combination of public ACL and public legacy role assignment.

39
Multi-Selecthard

Which THREE are best practices for managing encryption keys in Google Cloud?

Select 3 answers
A.Enable automatic rotation for keys that are used for encryption.
B.Use key versions and disable old versions instead of deleting them.
C.Use IAM conditions to restrict key usage based on caller IP or time.
D.Import key material from on-premises HSMs to avoid vendor lock-in.
E.Automatically delete old key versions once they expire.
AnswersA, B, C

Rotation limits the amount of data encrypted with a single key.

Why this answer

Option A is correct because Cloud KMS supports automatic key rotation, which reduces the risk of key compromise by ensuring that encryption keys are periodically replaced without manual intervention. Automatic rotation creates new key versions at a specified interval (e.g., every 90 days) and automatically uses the latest version for encryption, while decryption can still use older versions. This aligns with the security best practice of limiting the amount of data encrypted under a single key version.

Exam trap

Google Cloud often tests the misconception that deleting old key versions is a security best practice, when in fact it destroys the ability to decrypt legacy data, and they also test the false assumption that importing keys from on-premises HSMs reduces vendor lock-in, when it actually ties you more tightly to the cloud provider's key management APIs.

40
Multi-Selectmedium

Which THREE of the following are best practices for using Cloud DLP to protect sensitive data in BigQuery?

Select 3 answers
A.Use inspection jobs to scan tables and identify sensitive data.
B.Store transformed data in a separate dataset with stricter access controls.
C.Use DLP to classify data and then apply access controls based on data classification.
D.Automatically apply deidentification transformations to sensitive columns.
E.Encrypt the entire BigQuery table using CMEK.
AnswersA, C, D

Inspecting data is a foundational step for data protection.

Why this answer

Option A is correct because Cloud DLP inspection jobs can scan BigQuery tables to identify sensitive data types (e.g., PII, credit card numbers) using built-in infoTypes. This is a foundational step before applying any deidentification or access control measures, as it allows you to discover where sensitive data resides.

Exam trap

Google Cloud often tests the distinction between data discovery/inspection (DLP) and data protection mechanisms like encryption (CMEK) or access control (IAM), leading candidates to confuse complementary security controls with DLP-specific best practices.

41
MCQmedium

A security engineer needs to encrypt data at rest in Cloud Storage using a key that is not managed by Google Cloud. The key must be stored on-premises and provided with each API call for data access. Which encryption approach should be used?

A.Use customer-managed encryption keys (CMEK) with key material imported from an on-premises HSM.
B.Use Cloud KMS with a key stored in an on-premises HSM via Cloud External Key Manager.
C.Use Google-managed encryption keys with an organizational policy to disable automatic encryption.
D.Use customer-supplied encryption keys (CSEK) by providing the key in the request headers.
AnswerD

CSEK allows you to provide your own key with each API call, keeping the key on-premises.

Why this answer

Customer-supplied encryption keys (CSEK) allow you to provide your own AES-256 key with each API call to Cloud Storage. The key is not stored by Google Cloud; it is used only in memory to encrypt/decrypt data and then discarded, meeting the requirement of on-premises key storage and per-API-call key provision.

Exam trap

Google Cloud often tests the distinction between CMEK (key material managed in Cloud KMS) and CSEK (key provided per request), and the trap here is that candidates confuse 'customer-managed' with 'customer-supplied,' assuming CMEK satisfies the 'provided with each API call' requirement when it does not.

How to eliminate wrong answers

Option A is wrong because CMEK with imported key material still stores the key metadata and encrypts the key within Google Cloud KMS, meaning Google manages the key lifecycle and the key is not provided with each API call. Option B is wrong because Cloud External Key Manager (Cloud EKM) uses an external key management service accessible via a network endpoint, but the key is not provided with each API call; instead, Cloud KMS interacts with the external service on your behalf, and the key is not stored solely on-premises. Option C is wrong because Google-managed encryption keys are fully managed by Google Cloud and cannot be disabled via organizational policy; automatic encryption is always enabled, and you cannot supply your own key per API call.

42
MCQhard

A company needs to meet a regulatory requirement that cryptographic keys for data at rest in Google Cloud must be managed in an on-premises HSM and never leave the HSM. Google Cloud services should be able to use those keys for encryption/decryption. Which solution should they implement?

A.Use Cloud HSM to protect keys imported from on-premises HSM.
B.Use Cloud External Key Manager (EKM) to connect to the on-premises HSM.
C.Use Cloud KMS with automatic key rotation and store key versions on-premises.
D.Use customer-supplied encryption keys (CSEK) for each service.
AnswerB

Cloud EKM enables Google Cloud services to use keys from an external HSM without the key leaving the HSM.

Why this answer

Cloud External Key Manager (EKM) allows you to use keys managed in a supported external key management system, such as an on-premises HSM, for Google Cloud services. The keys are used by Google Cloud for encryption and decryption but never leave the external HSM, satisfying the regulatory requirement that keys must remain on-premises.

Exam trap

Google Cloud often tests the distinction between key location (where the key material resides) and key usage (which service performs the crypto operation), leading candidates to choose Cloud HSM (Option A) because it sounds like a managed HSM, but it fails the 'keys never leave the HSM' requirement since the HSM is in Google Cloud, not on-premises.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a Google-managed HSM service; keys imported into Cloud HSM would be stored and managed within Google Cloud, not kept exclusively on-premises. Option C is wrong because Cloud KMS with automatic key rotation stores key versions within Google Cloud, not on-premises, and does not provide a mechanism to keep keys exclusively in an on-premises HSM. Option D is wrong because customer-supplied encryption keys (CSEK) are provided per service and are stored in Google Cloud for the duration of the operation, violating the requirement that keys never leave the on-premises HSM.

43
Multi-Selecthard

Which THREE steps are required to implement field-level encryption for sensitive columns in a Cloud SQL for PostgreSQL database using Cloud KMS? (Choose three.)

Select 3 answers
A.Create a symmetric encryption key in Cloud KMS.
B.Install the pgcrypto extension in the PostgreSQL database.
C.Configure a Cloud HSM key to generate the data encryption key.
D.Enable CMEK on the Cloud SQL instance.
E.Grant the Cloud SQL service account the 'Cloud KMS CryptoKey Encrypter/Decrypter' role.
AnswersA, B, E

The key is needed to encrypt/decrypt data at the field level.

Why this answer

Option A is correct because Cloud KMS symmetric encryption keys are used to encrypt data encryption keys (DEKs) that protect the column data. In field-level encryption, the application or database encrypts each column value using a DEK, which is then wrapped (encrypted) by a Cloud KMS key. This ensures the sensitive data is encrypted at the application layer, independent of the underlying storage encryption.

Exam trap

Google Cloud often tests the distinction between instance-level encryption (CMEK) and field-level encryption; the trap here is that candidates confuse CMEK (which encrypts the entire database at rest) with the need for a per-column encryption mechanism using pgcrypto and Cloud KMS.

44
MCQeasy

A company runs a Cloud SQL for PostgreSQL instance that stores customer data. They must encrypt the database at rest using customer-managed encryption keys (CMEK) to meet regulatory requirements. The instance is currently using Google-managed encryption. What must they do to implement CMEK? The company wants to minimize downtime and avoid data loss.

A.Use the gcloud command to update the existing instance to use CMEK by specifying the key.
B.Create a new Cloud SQL instance with CMEK enabled, then export data from the old instance and import into the new one.
C.Configure Cloud External Key Manager (EKM) and attach it to the existing instance via a patch operation.
D.Implement client-side encryption in the application using a library like Tink and store the encrypted data in the existing database.
AnswerB

This meets the CMEK requirement by creating a new instance, and data migration via export/import ensures minimal data loss and manageable downtime.

Why this answer

Option B is correct because Cloud SQL does not support enabling CMEK on an existing instance; you must create a new instance with CMEK enabled at provisioning time. Exporting data from the old instance and importing it into the new one ensures the database is re-encrypted under the customer-managed key with minimal downtime and no data loss, as the export/import process preserves the data.

Exam trap

Google Cloud often tests the misconception that you can update an existing Cloud SQL instance to use CMEK via a gcloud command or API patch, when in reality CMEK must be configured at instance creation time.

How to eliminate wrong answers

Option A is wrong because the gcloud command cannot update an existing Cloud SQL instance to use CMEK; CMEK must be specified at instance creation time and cannot be added later via an update or patch operation. Option C is wrong because Cloud External Key Manager (EKM) is used for managing keys externally but does not enable CMEK on an existing instance; attaching EKM via a patch operation is not supported for changing encryption keys on a running Cloud SQL instance. Option D is wrong because client-side encryption with Tink would encrypt data before it reaches the database, which does not satisfy the requirement for database-at-rest encryption using CMEK; it also adds application complexity and does not leverage Cloud SQL's native encryption capabilities.

45
MCQmedium

A healthcare startup is building a data pipeline on Google Cloud. They receive patient data via a REST API running on Cloud Run. The data includes sensitive health information that must be de-identified before being stored in BigQuery. They plan to use Cloud DLP to inspect and transform the data. However, due to latency requirements, they need to de-identify the data within 5 seconds of receiving the request. They have set up a Cloud DLP job to inspect the data synchronously using the DLP API. During testing, they notice that the de-identification sometimes takes over 10 seconds, causing API timeouts. They want to reduce the latency without compromising security. What should they do?

A.Use a Cloud Function to process the data and call the DLP API.
B.Use Cloud DLP with a content item size limit and stored infoTypes to reduce inspection time.
C.Instead of using Cloud DLP, use BigQuery column-level security with data masking.
D.Configure a Cloud DLP job to run asynchronously and store results in BigQuery, then modified the pipeline to read the de-identified data later.
AnswerB

Limiting content size and using pre-defined infoTypes speeds up synchronous inspection.

Why this answer

Option B is correct because Cloud DLP synchronous inspection latency is directly proportional to the content size and the number of infoTypes scanned. By limiting the content item size (e.g., to 1 MB) and using stored infoTypes (which are pre-compiled for faster matching), you reduce the inspection time significantly, enabling de-identification within the 5-second window without compromising security.

Exam trap

Google Cloud often tests the misconception that adding more compute resources (like Cloud Functions) or switching to asynchronous processing will solve latency issues, when the real bottleneck is the DLP inspection configuration itself.

How to eliminate wrong answers

Option A is wrong because introducing a Cloud Function adds an extra hop and cold-start latency, which does not address the root cause of DLP API slowness and may even increase overall latency. Option C is wrong because BigQuery column-level security with data masking only controls access at query time; it does not de-identify data before storage, leaving sensitive data exposed in the pipeline and violating the requirement to de-identify before storing. Option D is wrong because asynchronous DLP jobs are designed for batch processing and cannot meet the 5-second synchronous latency requirement; they introduce a delay that breaks the real-time pipeline.

46
MCQmedium

Refer to the exhibit. A security engineer runs the following IAM policy command for a Cloud Storage bucket. What access does the bindings grant?

A.alice can view objects; example.com users can view objects; service account can admin objects.
B.alice and example.com domain can view; service account can admin; and the public can view because of domain.
C.alice and all users from example.com can view objects; the service account can admin all objects.
D.alice can view; example.com can view; service account can admin; but only if the bucket is public.
AnswerC

This correctly describes the bindings.

Why this answer

Option C is correct because the IAM policy bindings grant `roles/storage.objectViewer` to user `alice@example.com` and to all authenticated users from the `example.com` domain (via `domain:example.com`), and `roles/storage.objectAdmin` to a service account. The viewer role allows listing and reading objects, while the admin role allows full control over objects, including creation, deletion, and modification. There is no public access granted because the bindings do not include `allUsers` or `allAuthenticatedUsers`.

Exam trap

Google Cloud often tests the distinction between `domain:` and `allUsers` — candidates mistakenly think a domain grant makes the bucket public, but it only grants access to authenticated users from that specific domain.

How to eliminate wrong answers

Option A is wrong because it omits that `example.com` users are granted viewer access, not just `alice` and the service account; it also incorrectly implies the service account can only admin objects, which is correct but incomplete. Option B is wrong because it claims 'the public can view because of domain' — a domain grant (`domain:example.com`) only applies to authenticated users from that domain, not the general public. Option D is wrong because it adds a condition 'only if the bucket is public' — IAM policies on Cloud Storage buckets are independent of bucket-level public access settings; the bindings grant access regardless of whether the bucket is public.

47
Matchingmedium

Match each access control mechanism to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identity and Access Management for resource-level permissions

Constraints applied at the organization node

Service perimeters to prevent data exfiltration

Network-level allow/deny rules for VMs

Identity-Aware Proxy for application-level access

Why these pairings

These are different access control mechanisms in Google Cloud.

48
MCQmedium

A financial institution uses Cloud KMS to manage encryption keys. They want to ensure that key material is never exported from the KMS service. Which key protection method should they use?

A.Cloud HSM
B.External key manager
C.HSM keys in Cloud KMS
D.Software keys in Cloud KMS
AnswerC

HSM keys are generated inside FIPS 140-2 Level 3 HSMs and key material never leaves the HSM.

Why this answer

Option C is correct because HSM keys in Cloud KMS are generated and stored within a FIPS 140-2 Level 3 certified hardware security module (HSM) that is physically and logically controlled by Google. The key material never leaves the HSM boundary; all cryptographic operations are performed inside the HSM, and export of the key material is prevented by design. This satisfies the requirement that key material is never exported from the KMS service.

Exam trap

Google Cloud often tests the misconception that Cloud HSM (the dedicated service) is the same as HSM keys in Cloud KMS, but Cloud HSM allows key export while HSM keys in Cloud KMS do not, making the distinction critical for this question.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a separate service that provides dedicated HSM appliances, but it does not inherently prevent key export; customers can generate and export keys from Cloud HSM if they choose. Option B is wrong because an external key manager (EKM) allows customers to bring their own key material from an external key management system, which necessarily involves exporting key material from the KMS service to the external system. Option D is wrong because software keys in Cloud KMS are stored as encrypted blobs in Google's key storage infrastructure, and while they are protected, the key material can be exported via the API (e.g., using the `cryptoKeyVersions.export` method) if the key is created with exportable material, which contradicts the requirement.

49
MCQeasy

You want to encrypt data in Google Cloud Storage using a key that is managed and stored in a third-party key management system outside of Google Cloud. Which feature should you use?

A.Cloud External Key Manager (Cloud EKM)
B.Cloud HSM
C.Default encryption at rest
D.Customer-Supplied Encryption Keys (CSEK)
AnswerA

Cloud EKM integrates with external key management partners, keys never stored in Google.

Why this answer

Option A is correct: Cloud EKM allows you to use keys from an external key manager, keeping keys outside Google. Option B (CSEK) also uses external keys but is deprecated and less integrated. Option C (Cloud HSM) stores keys in Google.

Option D (default) uses Google-managed keys.

50
MCQhard

A healthcare organization is designing a data pipeline that ingests patient health records into Cloud Storage, then processes them with Dataflow for analytics. They must ensure that data is encrypted at rest and in transit, and that only authorized users can access the raw data. They also need to guarantee that the encryption keys are stored outside of Google Cloud. Which solution meets all requirements?

A.Use default encryption and rely on Google's data residency commitments.
B.Use Cloud External Key Manager (Cloud EKM) with a partner key manager.
C.Use Customer-Supplied Encryption Keys (CSEK) for Cloud Storage and Dataflow.
D.Use Cloud HSM to generate and store keys.
AnswerB

Cloud EKM supports external keys and is integrated with Cloud Storage and Dataflow.

Why this answer

Cloud EKM allows you to manage encryption keys using a supported external key management partner, ensuring keys are stored outside Google Cloud. This meets the requirement for encryption at rest and in transit (Dataflow and Cloud Storage use these keys transparently) while keeping key material external to Google's infrastructure. Only authorized users can access raw data via IAM and the external key manager's access controls.

Exam trap

Google Cloud often tests the distinction between where keys are stored versus where they are managed: candidates confuse CSEK (keys stored in Google Cloud) with external key storage, or assume Cloud HSM keeps keys outside Google Cloud when it actually runs on Google's infrastructure.

How to eliminate wrong answers

Option A is wrong because default encryption uses Google-managed keys stored within Google Cloud, not outside it, and data residency commitments do not address key storage location. Option C is wrong because Customer-Supplied Encryption Keys (CSEK) are stored in Cloud Storage and managed by the customer but the key material is still stored within Google Cloud (the customer provides the key, but Google stores it in its own infrastructure). Option D is wrong because Cloud HSM generates and stores keys within Google Cloud's hardware security modules, not outside Google Cloud.

51
MCQmedium

Refer to the exhibit. A security engineer is reviewing a Cloud KMS key. What can be concluded about this key?

A.This key is a customer-managed encryption key (CMEK) but is stored in software.
B.This key is stored in a Hardware Security Module (HSM) and cannot be exported.
C.This key is an external key managed via Cloud EKM.
D.This is a software key managed by Cloud KMS.
AnswerB

The HSM protection level means the key material resides in Cloud HSM and is non-exportable.

Why this answer

The exhibit shows a Cloud KMS key with the purpose 'symmetric encryption' and the protection level 'HSM'. Keys with HSM protection level are stored in a Hardware Security Module, which provides tamper-resistant hardware-based key storage. Additionally, the key is marked as 'Cannot be exported', meaning the key material never leaves the HSM boundary, ensuring it cannot be extracted or copied.

This matches the description of a key stored in an HSM that cannot be exported.

Exam trap

Google Cloud often tests the distinction between protection levels (software vs. HSM) and the concept of exportability, where candidates mistakenly assume that any key in Cloud KMS can be exported or that CMEK always implies software storage.

How to eliminate wrong answers

Option A is wrong because a customer-managed encryption key (CMEK) is a concept in Google Cloud that refers to keys created and managed by the customer within Cloud KMS, but the protection level can be either software or HSM; the exhibit shows 'HSM' protection level, not software. Option C is wrong because Cloud External Key Manager (EKM) is used for keys managed outside Google Cloud, and the exhibit shows a key managed within Cloud KMS, not an external key. Option D is wrong because the protection level is explicitly 'HSM', not 'software', so this is not a software key managed by Cloud KMS.

52
MCQhard

A company uses Cloud SQL for MySQL with automated backups. They want to ensure that backup data is encrypted with a key that they manage and rotate on a schedule, separate from the primary database encryption. What should they do?

A.Use Cloud SQL's backup encryption with customer-managed key by specifying a CMEK for backups.
B.Enable CMEK on the Cloud SQL instance, which automatically encrypts backups with the same key.
C.Use CSEK for the Cloud SQL instance and then re-encrypt backups.
D.Export backups to Cloud Storage and apply CMEK on the export bucket.
AnswerA

Cloud SQL allows setting a separate CMEK for backups during instance creation or update.

Why this answer

Cloud SQL allows enabling CMEK for backups separately by specifying a different CMEK key for backup encryption. Enabling CMEK on the instance encrypts both data and backups with the same key. Exporting to Cloud Storage is not automated.

53
MCQmedium

A company is migrating on-premises data to Cloud Storage. They have regulatory requirements to encrypt data using keys managed by their on-premises hardware security module (HSM). Which solution should they use?

A.Use Cloud HSM to create and manage keys.
B.Use Cloud External Key Manager (Cloud EKM) to reference keys in their on-premises HSM.
C.Use customer-supplied encryption keys (CSEK) for each object.
D.Use Cloud Key Management Service (Cloud KMS) with a key generated in the cloud.
AnswerB

Cloud EKM allows using externally managed keys for Cloud Storage.

Why this answer

Cloud External Key Manager (Cloud EKM) allows you to use encryption keys stored in a supported on-premises HSM via a partner integration, meeting the regulatory requirement for key management outside of Google Cloud. This solution keeps the key material under your control while enabling Cloud Storage to encrypt data using those keys.

Exam trap

Google Cloud often tests the distinction between where the key is created versus where it is stored and managed; the trap here is assuming Cloud HSM (which is hardware-backed) meets the 'on-premises HSM' requirement, when in fact it is a Google-managed service in Google's infrastructure.

How to eliminate wrong answers

Option A is wrong because Cloud HSM creates and manages keys within Google Cloud, not on your on-premises HSM, so it does not satisfy the requirement for keys managed by your own hardware. Option C is wrong because customer-supplied encryption keys (CSEK) are provided by you but stored and managed by Google Cloud, not in your on-premises HSM; they also require you to supply the key with each API call, which is impractical for ongoing encryption. Option D is wrong because Cloud KMS with a cloud-generated key keeps the key material entirely within Google Cloud, failing the requirement for on-premises HSM management.

54
MCQeasy

A small business stores backup archives in Cloud Storage and wants to encrypt them at rest using a key that is automatically rotated annually. They do not want to manage key material themselves. Which encryption option should they use?

A.Use Google-managed encryption keys (GMEK).
B.Use Cloud KMS customer-managed keys (CMEK) with rotation period.
C.Use Customer-Supplied Encryption Keys (CSEK).
D.Use client-side encryption with a third-party key management service.
AnswerA

GMEK is automatically rotated by Google.

Why this answer

Option A is correct because Google-managed encryption keys (GMEK) are automatically rotated and require no customer management. Option B is wrong because CMEK requires customer management. Option C is wrong because CSEK requires the customer to supply and manage keys.

Option D is wrong because client-side encryption is not handled by Google.

55
Multi-Selecteasy

Which THREE Google Cloud services can encrypt data at rest?

Select 3 answers
A.Cloud CDN
B.Cloud Storage
C.Cloud SQL
D.Cloud Functions
E.Cloud KMS
AnswersB, C, E

Cloud Storage encrypts objects at rest by default.

Why this answer

Cloud Storage encrypts data at rest by default using server-side encryption (SSE) with either Google-managed keys or customer-managed keys via Cloud KMS. This ensures that all objects stored in buckets are encrypted before being written to disk, protecting data from unauthorized access at the storage layer.

Exam trap

Google Cloud often tests the misconception that all Google Cloud services automatically encrypt data at rest, but services like Cloud CDN and Cloud Functions do not provide native at-rest encryption themselves; they rely on underlying storage services for that capability.

56
MCQeasy

A company uses Cloud KMS to protect encryption keys for their Cloud SQL databases. They want to rotate keys every 30 days and ensure that old keys are retained for at least 90 days. What is the recommended approach?

A.Use a Cloud KMS key with manual rotation every 30 days and keep all key versions indefinitely.
B.Use Cloud HSM to generate a key and set key version lifecycle to disable after 90 days.
C.Use a Cloud KMS key with automatic rotation period of 30 days and disable old key versions after 90 days.
D.Use customer-supplied encryption keys (CSEK) and rotate them manually.
AnswerC

Automatic rotation and disabling old versions satisfies both requirements.

Why this answer

Option C is correct because Cloud KMS supports automatic key rotation with a configurable period (e.g., 30 days), which creates new key versions automatically. To meet the 90-day retention requirement, you can disable old key versions after 90 days using the key version lifecycle policy, ensuring they are not used for encryption but remain available for decryption of older data.

Exam trap

Google Cloud often tests the distinction between automatic rotation (which creates new versions) and key version lifecycle (which manages old versions), and the trap here is assuming that automatic rotation alone handles retention, when in fact you must explicitly configure lifecycle policies to disable or destroy old versions after a specified period.

How to eliminate wrong answers

Option A is wrong because manual rotation every 30 days is operationally burdensome and error-prone, and keeping all key versions indefinitely does not satisfy the requirement to retain old keys for at least 90 days (it retains them forever, which is not the recommended approach). Option B is wrong because Cloud HSM is a hardware security module that can generate keys, but it does not provide a built-in mechanism to set key version lifecycle to disable after 90 days; that lifecycle management is a Cloud KMS feature, not Cloud HSM. Option D is wrong because customer-supplied encryption keys (CSEK) require you to manage and rotate keys manually, which does not leverage Cloud KMS's automatic rotation or lifecycle policies, and CSEK is typically used for Compute Engine, not Cloud SQL.

57
MCQmedium

A healthcare organization ingests patient data into Cloud Storage and then processes it with Dataflow. They need to de-identify sensitive fields like Social Security numbers before storing in BigQuery. Which approach should they use?

A.Use BigQuery column-level security with data masking.
B.Write custom Dataflow transformations using a Java SDK to redact SSNs.
C.Use Cloud DLP to inspect and transform the data, then store the de-identified results in BigQuery.
D.Use Cloud Data Catalog to tag sensitive columns and rely on access control.
AnswerC

Cloud DLP can automatically identify and de-identify sensitive data.

Why this answer

Option B is correct because Cloud DLP inspection and transformation jobs can be integrated with BigQuery and Dataflow. Option A is wrong because BigQuery data masking only masks at query time, not at rest. Option C is wrong because Dataflow with custom code is more error-prone and harder to maintain.

Option D is wrong because Cloud Data Catalog only catalogs but does not transform.

58
MCQhard

A security engineer needs to protect sensitive data in BigQuery. The data includes columns with personally identifiable information (PII). They want to automatically mask PII data for users with the role 'analyst' but allow full access for 'admin' users. Which approach should they use?

A.Use VPC Service Controls to restrict access to the dataset.
B.Create authorized views that exclude PII columns for the analyst role.
C.Use column-level access control via IAM roles to deny access to PII columns for analysts.
D.Apply policy tags with data masking policies to PII columns and assign the tag to the analyst role.
AnswerD

Policy tags with masking policies can dynamically mask data based on user's role.

Why this answer

Option D is correct because BigQuery's policy tags with data masking policies allow you to automatically mask sensitive columns (e.g., PII) at query time based on the user's role. You assign a masking policy to the policy tag, then attach that tag to the PII columns. By granting the 'analyst' role access to the tag with the masking rule applied, analysts see masked data, while 'admin' users (who have higher-level IAM permissions) see the full data without additional configuration.

Exam trap

Google Cloud often tests the distinction between column-level access control (which can only hide or deny columns) and data masking (which can partially obscure data while still allowing access), leading candidates to mistakenly choose option C.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls restrict network-level access to the BigQuery API but do not provide column-level data masking or role-based masking of PII. Option B is wrong because authorized views require creating separate views for each dataset and manually maintaining them; they do not automatically mask data at query time for different roles within the same table, and they add administrative overhead. Option C is wrong because column-level access control via IAM roles can only deny access to entire columns (making them invisible or causing errors), not mask the data; it cannot show partially masked values to analysts while allowing full access to admins.

59
MCQhard

A financial services company wants to ensure that Google Cloud staff cannot access their encryption keys or the plaintext data. They must meet regulatory requirements for data sovereignty. Which combination of services should they use?

A.Use CMEK with Cloud HSM and disable Access Transparency.
B.Use Customer-Supplied Encryption Keys (CSEK) without Access Transparency.
C.Use Cloud External Key Manager and enable Access Transparency logs.
D.Use VPC Service Controls and Cloud DLP.
AnswerC

EKM keeps keys outside Google; Access Transparency monitors access.

Why this answer

Option C is correct because Cloud External Key Manager (EKM) allows you to manage encryption keys using a supported external key management partner, ensuring that Google Cloud staff cannot access your keys or plaintext data. Enabling Access Transparency logs provides you with logs of Google Cloud staff access to your data, which helps meet regulatory requirements for data sovereignty by giving you visibility into administrative actions.

Exam trap

Google Cloud often tests the distinction between key management options (CMEK, CSEK, EKM) and the role of Access Transparency, leading candidates to confuse CMEK (which still gives Google control over key material) with EKM (which keeps keys external).

How to eliminate wrong answers

Option A is wrong because CMEK with Cloud HSM still allows Google Cloud to manage the key material (though in a hardware security module), and disabling Access Transparency removes visibility into Google staff access, failing the requirement that Google Cloud staff cannot access keys or plaintext. Option B is wrong because Customer-Supplied Encryption Keys (CSEK) are only supported for a limited set of Google Cloud services (Compute Engine and Cloud Storage) and do not prevent Google Cloud staff from accessing the keys during processing; also, disabling Access Transparency eliminates audit logs needed for sovereignty compliance. Option D is wrong because VPC Service Controls and Cloud DLP control network access and data loss prevention, respectively, but do not address encryption key management or prevent Google Cloud staff from accessing keys or plaintext data.

60
Multi-Selectmedium

Which two best practices for managing secrets in Secret Manager? (Choose two.)

Select 2 answers
A.Enable automatic replication to multiple regions for high availability.
B.Use the Secret Manager API to list all secrets for any user.
C.Set a short TTL for secret versions and delete them immediately.
D.Store secrets in multiple ConfigMaps for redundancy.
E.Use IAM conditions to restrict access based on resource tags.
AnswersA, E

Replication ensures availability if a region fails.

Why this answer

Option A is correct because Secret Manager supports automatic replication across regions, ensuring that secret data remains available even during a regional outage. This is a key best practice for high availability and disaster recovery, as it allows applications to read secrets from the nearest or alternate region without manual intervention.

Exam trap

Google Cloud often tests the misconception that ConfigMaps are suitable for secrets or that short TTLs and immediate deletion are safe practices, when in fact they violate operational stability and security best practices.

61
MCQmedium

A healthcare organization stores Protected Health Information (PHI) in Cloud Storage. They need to de-identify data before sharing it with researchers. Which service should they use?

A.Cloud Key Management Service (KMS)
B.VPC Service Controls
C.Cloud IAM
D.Cloud Data Loss Prevention (DLP)
AnswerD

DLP can de-identify structured and unstructured data, including PHI.

Why this answer

Cloud Data Loss Prevention (DLP) is the correct service because it is specifically designed to inspect, classify, and de-identify sensitive data such as Protected Health Information (PHI). It uses built-in infoTypes (e.g., US_INDIVIDUAL_HEALTHCARE_NPI) and de-identification techniques like masking, tokenization, and redaction to transform PHI into a de-identified dataset before sharing with researchers, ensuring compliance with HIPAA.

Exam trap

Google Cloud often tests the distinction between data protection services (encryption, access control, perimeter security) and data de-identification, so the trap here is that candidates confuse Cloud KMS or IAM with DLP because they all relate to 'protecting' data, but only DLP actively transforms sensitive content to remove identifiers.

How to eliminate wrong answers

Option A is wrong because Cloud Key Management Service (KMS) is used for managing encryption keys, not for de-identifying data; it protects data at rest but does not remove or transform PHI. Option B is wrong because VPC Service Controls provide a security perimeter to prevent data exfiltration from VPC services, but they do not inspect or de-identify the content of data. Option C is wrong because Cloud IAM manages access control policies (who can access resources), but it does not perform data de-identification or content inspection.

62
MCQhard

A company uses Cloud SQL for PostgreSQL with CMEK. They need to ensure that the Cloud SQL instance can only be accessed by authorized compute resources that have the correct IAM permissions to decrypt the data. What additional configuration is required to enforce access control?

A.Enable mutual TLS for all connections to the Cloud SQL instance.
B.Set up a service account with Cloud KMS CryptoKey Encrypter/Decrypter and attach it to authorized VMs.
C.Use VPC Service Controls to restrict access to the Cloud SQL instance and the key.
D.Configure Cloud SQL to use Cloud Armor to whitelist IP addresses.
AnswerB

This ensures only specific VMs can decrypt, coupling compute access with key access.

Why this answer

Option B is correct because Cloud SQL with CMEK requires that any compute resource accessing the instance must have the Cloud KMS CryptoKey Encrypter/Decrypter IAM role on the key. By attaching a service account with this role to authorized VMs, you ensure that only those VMs can decrypt the data at rest, enforcing access control at the IAM level. This directly ties the decryption permission to the compute resource's identity, not just network-level access.

Exam trap

Google Cloud often tests the distinction between network-level access controls (like VPC Service Controls or Cloud Armor) and IAM-based key authorization, leading candidates to choose perimeter security options instead of the correct identity-based decryption permission.

How to eliminate wrong answers

Option A is wrong because mutual TLS (mTLS) authenticates the client and server at the transport layer but does not control decryption permissions for CMEK; it addresses connection security, not key access. Option C is wrong because VPC Service Controls restrict data exfiltration and network access to Google Cloud services, but they do not grant or enforce IAM permissions to decrypt the CMEK key; they are a perimeter security control, not a key authorization mechanism. Option D is wrong because Cloud Armor is a web application firewall that filters traffic based on IP addresses or HTTP headers, but it cannot enforce IAM-based decryption permissions; it operates at the network edge, not at the key management layer.

63
MCQmedium

A company stores sensitive customer data in Cloud Storage. They want to ensure that data is encrypted at rest using customer-managed encryption keys (CMEK) and that access to the key is audited. Which approach should they use?

A.Use Google-managed encryption keys and enable Cloud Audit Logs for the bucket.
B.Use CMEK with key material stored in a Cloud Storage bucket.
C.Use customer-supplied encryption keys (CSEK) and store the keys in Secret Manager.
D.Use CMEK with a Cloud KMS key and enable Cloud Audit Logs for the key.
AnswerD

CMEK uses Cloud KMS, and audit logs track access to the key.

Why this answer

Option D is correct because it combines customer-managed encryption keys (CMEK) via Cloud KMS with Cloud Audit Logs enabled on the key itself. This ensures the data is encrypted at rest using a key that the customer controls and rotates, and all operations against that key (e.g., encrypt, decrypt, enable, disable) are logged for auditing. Cloud Audit Logs on the bucket alone would not capture key access events, which is required for full auditability.

Exam trap

Google Cloud often tests the distinction between CMEK and CSEK, and the trap here is that candidates confuse 'customer-managed' with 'customer-supplied' and overlook that CMEK requires Cloud KMS for key management and auditing, not just storing key material in Cloud Storage or Secret Manager.

How to eliminate wrong answers

Option A is wrong because Google-managed encryption keys do not allow customer control or rotation of the key material, and enabling Cloud Audit Logs only on the bucket does not audit access to the encryption key itself. Option B is wrong because storing CMEK key material in a Cloud Storage bucket violates the principle of keeping keys separate from the data they protect, and Cloud Storage does not provide the key management lifecycle or audit logging that Cloud KMS offers. Option C is wrong because customer-supplied encryption keys (CSEK) require the customer to supply the key on every API call, and storing the keys in Secret Manager does not provide the same level of key rotation, versioning, or centralized audit logging as Cloud KMS with CMEK.

64
MCQhard

A security engineer reviews the IAM policy for a Cloud Storage bucket as shown in the exhibit. Alice reports that she cannot upload objects to the bucket, while Bob can view objects. What is the most likely issue?

A.The bucket has ACLs that deny Alice upload access.
B.Alice has the objectViewer role but not the objectAdmin role.
C.Alice does not have the storage.buckets.getIamPolicy permission.
D.The objectAdmin role does not include the storage.objects.create permission.
AnswerA

If uniform bucket-level access is not enabled, ACLs can override IAM.

Why this answer

Option A is correct because Cloud Storage buckets can have both IAM policies and Access Control Lists (ACLs) applied. If the bucket's ACL explicitly denies Alice the `WRITER` or `OWNER` permission, she will be unable to upload objects even if her IAM policy grants broader roles. Bob can view objects because his IAM role (e.g., `roles/storage.objectViewer`) is not overridden by a conflicting ACL, or his ACL entry grants `READER` access.

Exam trap

Google Cloud often tests the misconception that IAM policies alone control all access to Cloud Storage, ignoring that ACLs can override or deny permissions, leading candidates to incorrectly blame missing roles or permissions rather than a conflicting ACL.

How to eliminate wrong answers

Option B is wrong because the `objectViewer` role only allows reading objects, not uploading; however, the question states Alice cannot upload, so the issue is not about missing `objectAdmin` but a specific denial. Option C is wrong because `storage.buckets.getIamPolicy` is used to view the bucket's IAM policy, not to upload objects; lacking this permission would not prevent uploading. Option D is wrong because the `objectAdmin` role (`roles/storage.objectAdmin`) does include `storage.objects.create`, which is required for uploading; this option misrepresents the role's permissions.

65
MCQmedium

A financial institution uses Cloud HSM to protect cryptographic keys used for signing sensitive transactions. They want to ensure that keys are never exportable and that key usage is logged. Which key type should they create in Cloud HSM?

A.Purpose: ASYMMETRIC_SIGN with algorithm: RSA_SIGN_PKCS1_2048_SHA256
B.Purpose: SYMMETRIC_ENCRYPT_DECRYPT with algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
C.Purpose: ASYMMETRIC_DECRYPT with algorithm: RSA_DECRYPT_OAEP_2048_SHA256
D.Purpose: MAC with algorithm: HMAC_SHA256
AnswerA

This key type is designed for signing and uses Cloud HSM which provides non-exportable keys.

Why this answer

Option A is correct because Cloud HSM supports ASYMMETRIC_SIGN key purpose with RSA_SIGN_PKCS1_2048_SHA256, which creates a non-exportable key pair used for signing. Cloud HSM ensures the private key never leaves the HSM boundary, and all key usage is automatically logged via Cloud Audit Logs, meeting the requirements for non-exportability and logging.

Exam trap

Google Cloud often tests the distinction between key purposes: candidates confuse ASYMMETRIC_DECRYPT (used for decrypting ciphertext) with signing, but signing requires the private key to produce a signature, not to decrypt data.

How to eliminate wrong answers

Option B is wrong because SYMMETRIC_ENCRYPT_DECRYPT keys are used for encryption/decryption, not signing, and symmetric keys do not provide the non-repudiation needed for signing sensitive transactions. Option C is wrong because ASYMMETRIC_DECRYPT keys are designed for decryption operations (e.g., RSA-OAEP), not for creating digital signatures; signing requires the private key to generate a signature, not to decrypt. Option D is wrong because MAC (Message Authentication Code) keys, such as HMAC_SHA256, are symmetric and used for integrity and authentication, not for asymmetric signing; they do not provide non-repudiation and are exportable by design in Cloud HSM.

66
MCQmedium

A company is deploying a microservices architecture on Google Kubernetes Engine (GKE). They need to securely store and access database credentials, API keys, and other secrets. They want to avoid storing secrets in plaintext in the container image or Kubernetes manifests. Which solution should they use?

A.Encrypt secrets with Cloud KMS and store them in a ConfigMap.
B.Store secrets in a ConfigMap and mount as environment variables.
C.Use Secret Manager and mount secrets as volumes using the Secret Manager CSI driver.
D.Use Kubernetes native Secrets, committing them to a private repository.
AnswerC

This provides secure, audited access without storing secrets in the cluster.

Why this answer

Option C is correct because Secret Manager provides a centralized, secure, and auditable way to store secrets, and the Secret Manager CSI driver allows pods to mount these secrets as volumes without exposing them in the container image or Kubernetes manifests. This approach ensures secrets are never stored in plaintext on disk or in etcd, and it integrates with GKE's workload identity for fine-grained access control.

Exam trap

The trap here is that candidates often confuse Kubernetes native Secrets (which are only base64-encoded, not encrypted) with a secure solution, or they assume ConfigMaps can be used for secrets if encrypted, missing the fact that ConfigMaps are not designed for sensitive data and are stored in plaintext in etcd.

How to eliminate wrong answers

Option A is wrong because Cloud KMS is a key management service for encryption keys, not a secret store; storing encrypted secrets in a ConfigMap still leaves the secrets in etcd and Kubernetes API, and ConfigMaps are not designed for sensitive data. Option B is wrong because ConfigMaps store data in plaintext in etcd and can be easily read by anyone with access to the Kubernetes API, violating the requirement to avoid plaintext storage. Option D is wrong because committing Kubernetes native Secrets to a private repository still stores them in plaintext in the repository and in etcd, and native Secrets are only base64-encoded, not encrypted by default, which is not a secure practice.

67
MCQmedium

A security engineer runs the command in the exhibit. The command fails with an error: 'Permission denied: cryptoKeyVersions.encrypt'. What is the most likely cause?

A.The key ring 'my-keyring' does not exist.
B.The user does not have the cloudkms.cryptoKeyVersions.encrypt permission on the key.
C.The key ring location is incorrect.
D.The user does not have the cloudkms.cryptoKeyVersions.decrypt permission.
AnswerB

The error indicates missing encrypt permission.

Why this answer

The error message 'Permission denied: cryptoKeyVersions.encrypt' explicitly indicates that the user lacks the cloudkms.cryptoKeyVersions.encrypt permission on the specific key version. In Google Cloud KMS, encrypt operations require the cloudkms.cryptoKeyVersions.encrypt permission (or a broader role like roles/cloudkms.cryptoKeyEncrypter) on the key resource. The command itself is syntactically correct, so the failure is due to insufficient IAM permissions, not resource existence or location.

Exam trap

Google Cloud often tests the distinction between resource existence errors (e.g., 'Not found') and permission errors (e.g., 'Permission denied'), so candidates must read the exact error message to avoid confusing missing resources with insufficient IAM permissions.

How to eliminate wrong answers

Option A is wrong because if the key ring 'my-keyring' did not exist, the error would be 'Not found' or 'Key ring not found', not a permission denied error. Option C is wrong because an incorrect location would produce a 'Not found' or 'Invalid location' error, not a permission denied error. Option D is wrong because the error specifically mentions 'encrypt', not 'decrypt'; lacking the decrypt permission would not cause an encrypt operation to fail with this error message.

68
MCQhard

An organization uses Cloud DLP to scan a Cloud SQL database for PII. They want to automatically pseudonymize email addresses found in a specific column using a deterministic encryption that can be reversed for authorized users. The key must be stored in Cloud KMS. Which DLP transformation should they configure?

A.CryptoHashConfig with a cryptographic key from Cloud KMS.
B.CryptoDeterministicConfig with a key from Cloud KMS.
C.CryptoReplaceFfxFpeConfig using a key from Cloud KMS.
D.ReplaceWithInfoTypeConfig with a cryptographic key.
AnswerB

This provides deterministic, reversible encryption suitable for pseudonymization.

Why this answer

Option B is correct because CryptoDeterministicConfig performs deterministic encryption (same plaintext always produces the same ciphertext) using a key from Cloud KMS, which allows pseudonymization that can be reversed by authorized users. This matches the requirement for a reversible, deterministic transformation on email addresses in a Cloud SQL column.

Exam trap

Google Cloud often tests the distinction between deterministic encryption (reversible, same output for same input) and hashing (one-way), leading candidates to mistakenly choose CryptoHashConfig when they need reversibility.

How to eliminate wrong answers

Option A is wrong because CryptoHashConfig uses a cryptographic hash function (e.g., SHA-256) which is one-way and cannot be reversed, so it does not meet the requirement for reversible pseudonymization. Option C is wrong because CryptoReplaceFfxFpeConfig uses Format-Preserving Encryption (FFX) which preserves the format of the data (e.g., email structure) but is not specifically designed for deterministic encryption with Cloud KMS key management in this context; it is more suited for preserving format while encrypting, not for simple deterministic reversal. Option D is wrong because ReplaceWithInfoTypeConfig replaces the entire value with the info type name (e.g., 'EMAIL_ADDRESS') and does not use a cryptographic key or provide any encryption or reversibility.

69
Multi-Selecteasy

Which TWO of the following are valid methods to protect data in transit between on-premises and Google Cloud using Cloud VPN?

Select 2 answers
A.Use Cloud VPN with SSL VPN.
B.Use Cloud VPN with IPsec IKEv2.
C.Use Cloud NAT for outbound traffic.
D.Use Cloud VPN with IPsec IKEv1.
E.Use Cloud Interconnect with MACsec.
AnswersB, D

Cloud VPN supports IPsec with IKEv2.

Why this answer

Cloud VPN supports both IPsec IKEv1 and IKEv2 as valid protocols for establishing secure tunnels between on-premises networks and Google Cloud. IKEv2 offers improved stability and mobility support, but both are explicitly supported by Google Cloud VPN for protecting data in transit.

Exam trap

Google Cloud often tests the distinction between Cloud VPN (which uses IPsec with IKEv1 or IKEv2) and other connectivity options like Cloud Interconnect or SSL VPN, leading candidates to mistakenly select SSL VPN or MACsec as valid Cloud VPN methods.

70
MCQhard

Refer to the exhibit. Based on the exhibit, the corporate security policy requires that all Cloud KMS symmetric keys have automatic rotation enabled. Which statement is true?

A.Both keys are compliant.
B.Neither key is compliant.
C.Only the encryption-key is compliant.
D.Only the decryption-key is compliant.
AnswerC

Encryption-key has a rotation period; decryption-key does not.

Why this answer

The corporate security policy requires automatic rotation for all Cloud KMS symmetric keys. In the exhibit, the 'encryption-key' has automatic rotation enabled (as indicated by the rotation period being set), while the 'decryption-key' does not have automatic rotation enabled (rotation period is not set or is disabled). Therefore, only the encryption-key is compliant with the policy.

Exam trap

Google Cloud often tests the distinction between keys that have rotation enabled versus those that are simply created with a rotation period set to a non-zero value, tricking candidates into assuming all keys in a key ring are automatically rotated.

How to eliminate wrong answers

Option A is wrong because both keys are not compliant; the decryption-key lacks automatic rotation. Option B is wrong because the encryption-key does have automatic rotation enabled, so it is compliant. Option D is wrong because the decryption-key does not have automatic rotation enabled, making it non-compliant, not the only compliant key.

71
Matchingmedium

Match each CVE or security concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Log4j remote code execution vulnerability

Heartbleed OpenSSL vulnerability

Apache Struts2 remote code execution

Windows CryptoAPI spoofing vulnerability

BlueKeep RDP remote code execution

Why these pairings

These are well-known CVEs and their brief descriptions.

72
MCQmedium

A multinational organization must ensure that data for European users is stored only within the European Union to comply with GDPR. They use Cloud Storage and BigQuery. Which design should they implement?

A.Use Cloud DLP to inspect and tag data for European origin.
B.Use VPC Service Controls to create a perimeter around European resources.
C.Set an organization policy with constraints/gcp.resourceLocations to restrict resource creation to EU regions.
D.Use Cloud Armor with geo-based access control to restrict access from non-EU locations.
AnswerC

Organization policies can enforce that resources like buckets and datasets are created only in allowed locations.

Why this answer

Option C is correct because the organization policy constraint `gcp/resourceLocations` is the only design that proactively prevents data from being stored outside the EU. By setting this constraint to allow only EU regions (e.g., `europe-west1`, `europe-west4`), any attempt to create a Cloud Storage bucket or BigQuery dataset in a non-EU region will be denied at the API level, ensuring GDPR compliance by design.

Exam trap

Google Cloud often tests the distinction between data access control and data residency enforcement; the trap here is confusing geo-based access controls (Cloud Armor) or data exfiltration prevention (VPC Service Controls) with the ability to restrict where data is physically stored, which requires a resource location policy.

How to eliminate wrong answers

Option A is wrong because Cloud DLP inspects and classifies data but does not enforce storage location; it only tags data for discovery, not for residency control. Option B is wrong because VPC Service Controls create a security perimeter around resources to prevent data exfiltration, but they do not restrict where resources can be created or stored; a bucket could still be created in a non-EU region within the perimeter. Option D is wrong because Cloud Armor with geo-based access control restricts user access based on geographic location, but it does not control where data is physically stored; data could still reside outside the EU.

73
MCQmedium

A multinational corporation is required to protect sensitive data in BigQuery using column-level encryption. They want to use a customer-managed key stored in Cloud KMS. What is the correct approach?

A.Use Cloud DLP to de-identify columns in transit.
B.Use Cloud HSM to store the key and apply bucket-level encryption.
C.Use Cloud KMS to create an AEAD key and use BigQuery SQL functions to encrypt/decrypt.
D.Use Customer-Supplied Encryption Keys (CSEK) with BigQuery.
AnswerC

BigQuery has AEAD.ENCRYPT/DECRYPT functions that integrate with Cloud KMS.

Why this answer

Option C is correct because BigQuery supports column-level encryption and decryption using AEAD (Authenticated Encryption with Associated Data) keys created in Cloud KMS. The `AEAD.ENCRYPT` and `AEAD.DECRYPT` SQL functions allow you to encrypt specific columns at rest, using a customer-managed key that you control in Cloud KMS, ensuring that only authorized users with access to the key can decrypt the data.

Exam trap

Google Cloud often tests the distinction between encryption services (Cloud KMS, Cloud HSM, CSEK) and their applicable scopes (bucket-level vs. column-level), so the trap here is assuming that any key management service can be used for BigQuery column-level encryption without understanding that only Cloud KMS with AEAD SQL functions is supported.

How to eliminate wrong answers

Option A is wrong because Cloud DLP de-identifies data in transit or at rest using techniques like masking or tokenization, but it does not provide column-level encryption with a customer-managed key stored in Cloud KMS; DLP is a data loss prevention service, not a column-level encryption solution. Option B is wrong because Cloud HSM is a hardware security module that can store keys, but bucket-level encryption applies to Cloud Storage buckets, not to BigQuery columns; BigQuery does not use bucket-level encryption for column-level protection. Option D is wrong because Customer-Supplied Encryption Keys (CSEK) are used for encrypting Compute Engine resources and Cloud Storage objects, not for BigQuery column-level encryption; BigQuery does not support CSEK for column-level encryption.

74
MCQeasy

An organization wants to prevent data exfiltration from a Google Cloud project by restricting the copying of data from Cloud Storage to external IPs. Which Google Cloud service should they use?

A.Cloud Armor
B.IAM
C.VPC Service Controls
D.Cloud Data Loss Prevention (DLP)
AnswerC

VPC Service Controls create a security perimeter that prevents data from being copied to external IPs.

Why this answer

VPC Service Controls (C) is correct because it allows you to define security perimeters around Google Cloud services like Cloud Storage, preventing data exfiltration by blocking access from external IPs. By creating a service perimeter, you can enforce that data can only be accessed from within a specified VPC network or on-premises network via Private Google Access, effectively restricting copying to external IP addresses.

Exam trap

Google Cloud often tests the distinction between IAM (identity-based access) and VPC Service Controls (network-based perimeter security), so candidates mistakenly choose IAM thinking it can block external IPs, but IAM lacks the network context to enforce such restrictions.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects against DDoS and application-layer attacks, not a tool for restricting data exfiltration based on IP origin. Option B is wrong because IAM controls who (identities) can access resources but does not control how data is transferred or restrict access based on network context (e.g., external IPs). Option D is wrong because Cloud Data Loss Prevention (DLP) is used for inspecting, classifying, and redacting sensitive data, not for enforcing network-level access controls to prevent exfiltration.

75
MCQhard

A global e-commerce company uses Google Cloud to host its platform. They store customer payment data in Cloud SQL and use Cloud Storage for backups. Currently, they rely on Google-managed encryption keys. A new compliance requirement mandates that all encryption keys must be stored in a hardware security module (HSM) and rotated every 30 days. Additionally, they need to retain backup data for 7 years, during which the keys used to encrypt the backups must be available for decryption. They have created a Cloud HSM key ring and a key with a rotation period of 2592000 seconds (30 days). After configuring Cloud SQL and Cloud Storage to use the Cloud HSM key, they notice that backups older than 30 days cannot be decrypted. The company's security engineer verified that the key versions are still present. What is the most likely cause and how should it be resolved?

A.The key material was imported incorrectly. Delete the key ring and recreate it using an external HSM.
B.The automatic backups in Cloud SQL are encrypted with the primary key version at backup time, but the backup restore functionality does not automatically use the latest key version. Update the backup configuration to use the current primary key version for decryption.
C.The rotation period of 30 days is too short for key retention. Disable automatic rotation and use manual key rotation every 30 days while retaining all versions.
D.Cloud Storage does not support Cloud HSM keys for object encryption. Switch to customer-supplied encryption keys (CSEK).
AnswerB

Cloud SQL restore requires referencing the correct key version; re-associating the backup with the latest key version allows decryption.

Why this answer

Option B is correct because Cloud SQL backups are encrypted with the primary key version at the time of backup creation. When restoring a backup, Cloud SQL does not automatically use the latest key version; it attempts to decrypt using the key version that was primary at backup time. Since the key is rotated every 30 days, backups older than 30 days were encrypted with a previous primary key version.

Even though the key versions are still present in Cloud HSM, the backup restore operation fails because it does not automatically reference the correct historical key version. The fix is to explicitly update the backup configuration to point to the current primary key version, which allows Cloud SQL to locate and use the appropriate key version for decryption.

Exam trap

Google Cloud often tests the misconception that key rotation automatically updates all existing encrypted data, when in reality each encryption operation uses the key version that was primary at that time, and decryption requires explicit reference to the correct historical version.

How to eliminate wrong answers

Option A is wrong because the key material was not imported incorrectly; the security engineer verified that key versions are present, and Cloud HSM supports both imported and generated keys. The issue is not about import method but about key version referencing during restore. Option C is wrong because the rotation period of 30 days (2592000 seconds) is exactly what the compliance requires; disabling automatic rotation would violate the 30-day rotation mandate, and manual rotation does not solve the decryption problem since the root cause is that Cloud SQL does not automatically use the correct key version for older backups.

Option D is wrong because Cloud Storage does support Cloud HSM keys for object encryption via CMEK; switching to CSEK would not address the backup decryption issue and would introduce additional key management complexity.

Page 1 of 2 · 92 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Ensuring data protection questions.