PCSE · topic practice

Supporting compliance requirements practice questions

Practise Google Professional Cloud Security Engineer Supporting compliance requirements practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Supporting compliance requirements

What the exam tests

What to know about Supporting compliance requirements

Supporting compliance requirements questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Supporting compliance requirements exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Supporting compliance requirements questions

20 questions · select your answer, then reveal the explanation

A company needs to retain audit logs for 7 years to meet regulatory compliance. They are using Cloud Logging. Which log storage strategy should they use to minimize costs while meeting the requirement?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization must ensure that only authorized personnel can access Protected Health Information (PHI) stored in Cloud Storage. They need to enforce encryption at rest and control access based on data classification. Which combination of Google Cloud services should they use?

A financial services company is deploying a multi-region application on Google Kubernetes Engine (GKE) and needs to comply with PCI DSS. They must ensure that cardholder data is encrypted in transit between pods in different clusters. What is the MOST secure way to achieve this?

A company must implement data residency requirements that prohibit storing data outside the European Union. They are using Cloud Bigtable and need to ensure that backups are also stored within the EU. Which configuration should they choose?

A company is migrating to Google Cloud and needs to comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to use Cloud SQL for MySQL and Cloud Storage. Which TWO actions must they take to ensure HIPAA compliance?

A company needs to comply with the General Data Protection Regulation (GDPR). They are using BigQuery to store personal data. Which THREE measures should they implement to meet GDPR requirements?

Your company, a global e-commerce platform, must comply with the PCI DSS requirement to secure cardholder data. You have a multi-cloud environment with workloads on Google Cloud and AWS. The Google Cloud environment consists of Compute Engine instances that process credit card transactions, and a Cloud SQL for MySQL database that stores encrypted cardholder data. The security team requires that only specific service accounts can connect to the database, and all connections must be encrypted. Additionally, you need to ensure that the database is not publicly accessible and that all access is logged. You have configured the Cloud SQL instance with a private IP and enabled SSL/TLS. However, a recent audit revealed that a Compute Engine instance with a public IP and no service account was able to connect to the database and execute queries. The instance was not authorized in the Cloud SQL authorized networks. What is the most likely cause of this security gap, and what should you do to prevent it?

A financial services company must ensure that all data stored in Cloud Storage is encrypted with customer-managed encryption keys (CMEK) that are rotated every 90 days. They have enabled Organization Policy constraints to enforce CMEK. However, some new buckets are still being created without CMEK. What is the most likely cause?

Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization uses BigQuery to store patient data with column-level encryption using CMEK. They need to ensure that data is encrypted at rest and in transit, and that only authorized users can query specific columns. Which combination of controls should they use?

A company wants to use Cloud Armor to block traffic from specific countries to comply with data sovereignty requirements. They have a global HTTP Load Balancer configured. Where should they configure the Cloud Armor policy?

A Cloud Run service is failing to access a secret from Secret Manager. The service account used by Cloud Run has the roles/secretmanager.secretAccessor role. What is the most likely cause of the error?

Exhibit

Refer to the exhibit.

Error log from a Cloud Run service:
```
{
  "severity": "ERROR",
  "message": "Failed to access Secret Manager secret 'projects/my-project/secrets/my-api-key/versions/latest'.",
  "service": "my-service",
  "reason": "Permission denied on resource 'projects/my-project/secrets/my-api-key/versions/latest'"
}
```

A company must ensure that all Compute Engine instances use only approved images from a specific project. They want to enforce this using Organization Policy. Which constraint should they use?

A company wants to audit all changes to IAM policies in their organization. They need to set up logging to capture these changes. Which TWO steps should they take? (Choose TWO.)

A company is implementing a data retention policy for Cloud Storage buckets. They need to ensure that objects cannot be deleted before a specified retention period. Which THREE features can they use? (Choose THREE.)

A security engineer is using Cloud Asset Inventory to find all Compute Engine instances that are not labeled with a 'compliance' label. Based on the exhibit, which instance(s) are missing the compliance label?

Network Topology
$ gcloud asset search-all-resourcesscope=organizations/123456789012asset-types='compute.googleapis.com/Instance'Refer to the exhibit.Output from gcloud command:```name: //compute.googleapis.com/projects/my-project/zones/us-central1-a/instances/instance-1assetType: compute.googleapis.com/Instanceproject: projects/123456789012ancestors: ["organizations/123456789012", "folders/456", "projects/123456789012"]labels:env: productioncompliance: hipaaname: //compute.googleapis.com/projects/other-project/zones/us-central1-a/instances/instance-2project: projects/987654321098ancestors: ["organizations/123456789012", "folders/789", "projects/987654321098"]env: dev

A company uses Cloud SQL for MySQL and needs to automate the rotation of database user passwords every 30 days. They want to store the passwords in Secret Manager and have the application retrieve them at runtime. The application runs on Compute Engine. What is the most secure way to allow the Compute Engine instances to access the secrets?

A financial services company must store customer transaction records for 7 years to comply with SEC regulations. They currently use Cloud Storage with a lifecycle rule that deletes objects after 365 days. The compliance team needs to ensure that records are immutable and cannot be deleted or modified before the retention period expires. What should the security engineer do?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is migrating sensitive patient data to Google Cloud and must comply with HIPAA. They plan to use Cloud SQL for MySQL with CMEK for encryption at rest. The security team is concerned about key management and access logging. Which additional measure should be implemented to meet HIPAA audit requirements?

A global e-commerce company must comply with GDPR and CCPA. They use BigQuery to store customer data and need to ensure that when a user requests data deletion, all copies are deleted within 30 days. Additionally, they want to minimize storage costs. Which TWO actions should they take?

Question 20easymultiple choice
Review the full subnetting walkthrough →

A company has a single Google Cloud project with multiple VPC networks. They need to comply with PCI DSS requirement 1.3.2, which restricts inbound and outbound traffic to only what is necessary. They have a web application running on Compute Engine instances in a VPC with a public subnet and a private subnet. The web servers in the public subnet need to communicate with database servers in the private subnet. Currently, the security engineer has configured firewall rules to allow HTTP/HTTPS traffic from the internet to the web servers, and allow all traffic from the public subnet to the private subnet. The auditor flags that the rule allowing all traffic from the public subnet to the private subnet is too permissive. What should the security engineer do to meet the requirement while maintaining functionality?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Supporting compliance requirements sessions

Start a Supporting compliance requirements only practice session

Every question in these sessions is drawn from the Supporting compliance requirements domain — nothing else.

Related practice questions

Related PCSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCSE exam test about Supporting compliance requirements?
Supporting compliance requirements questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Supporting compliance requirements questions in a focused session?
Yes — the session launcher on this page draws every question from the Supporting compliance requirements domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCSE topics?
Use the topic links above to move to related areas, or go back to the PCSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCSE exam covers. They are not copied from any real exam or dump site.