CCNA Gcp Compliance Questions

33 of 108 questions · Page 2/2 · Gcp Compliance topic · Answers revealed

76
MCQmedium

Refer to the exhibit. A compliance auditor reviews the key configuration and finds a potential issue. What is the most likely compliance impact?

A.The key is disabled and cannot encrypt data
B.The key was created too recently
C.The key lacks automatic rotation, which may violate compliance requirements
D.The key is not used for the correct purpose
AnswerC

Many compliance standards (e.g., PCI DSS) require periodic key rotation; a null rotation period means no rotation is scheduled.

Why this answer

Option C is correct because many compliance frameworks (e.g., PCI DSS, SOC 2, NIST SP 800-57) require cryptographic keys to be rotated periodically to limit the amount of data encrypted under a single key and reduce the impact of key compromise. In Cisco's key configuration, if automatic rotation is not enabled or configured, the key remains static, which can violate these compliance mandates. The auditor identifies the lack of automatic rotation as a potential non-compliance issue, even if the key is otherwise valid and functional.

Exam trap

Google Cloud often tests the distinction between a key being 'functional' versus 'compliant' — candidates may assume that because a key works and is not expired, it is compliant, but the trap is that compliance frameworks require proactive rotation policies, not just key validity.

How to eliminate wrong answers

Option A is wrong because a key being disabled would be a separate administrative action or state; the exhibit does not show the key as disabled, and a disabled key would not be available for encryption at all, which is not the issue flagged by the auditor. Option B is wrong because the age of the key alone does not create a compliance impact unless a specific maximum key lifetime is defined by policy; the auditor's concern is about rotation, not recency. Option D is wrong because the key purpose (e.g., encryption, signing) is typically defined in the key's attributes or usage policy, and the exhibit does not indicate that the key is being used for an incorrect purpose; the issue is the lack of rotation, not misuse.

77
Multi-Selecthard

A financial services company must ensure that its Google Cloud environment complies with PCI DSS. The security team needs to implement controls to protect cardholder data. Which TWO measures should they implement? (Choose TWO.)

Select 2 answers
A.Enable Data Access audit logs for all Cloud Storage buckets.
B.Use Security Command Center to detect misconfigurations.
C.Configure VPC Service Controls to restrict data movement from managed services.
D.Enable Shielded VMs on all Compute Engine instances.
E.Use Customer-Managed Encryption Keys (CMEK) to encrypt data at rest.
AnswersC, E

VPC Service Controls help prevent unauthorized data exfiltration, a PCI DSS requirement.

Why this answer

C is correct because VPC Service Controls create a security perimeter around Google Cloud managed services, preventing data exfiltration by restricting data movement from within the perimeter to unauthorized external networks. This is critical for PCI DSS compliance as it helps protect cardholder data from unauthorized access or transfer. E is correct because Customer-Managed Encryption Keys (CMEK) allow the organization to control and manage the encryption keys used to protect data at rest, meeting PCI DSS requirement 3.4 for rendering cardholder data unreadable.

Exam trap

Google Cloud often tests the distinction between detective controls (like audit logs and Security Command Center) and preventive controls (like VPC Service Controls and CMEK), leading candidates to mistakenly select logging or detection options as direct compliance measures.

78
MCQmedium

To comply with regulatory requirements, a company needs to prevent service account keys from being created for all projects. What should they use?

A.VPC Service Controls
B.Organization policy with a constraint
C.Security Command Center
D.IAM conditions
AnswerB

The Organization policy `iam.disableServiceAccountKeyCreation` can be applied at the organization level to prevent key creation.

Why this answer

Organization policies with constraints allow you to enforce restrictions across all projects in an organization. The `constraints/iam.disableServiceAccountKeyCreation` constraint specifically prevents the creation of service account keys, ensuring compliance with regulatory requirements that prohibit long-lived keys. This is a native Google Cloud IAM feature that applies at the organization, folder, or project level.

Exam trap

Google Cloud often tests the distinction between preventive controls (organization policy constraints) and detective/monitoring tools (Security Command Center), leading candidates to mistakenly choose Security Command Center because they think it can block actions, when in fact it only detects and alerts.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are used to define security perimeters around Google Cloud resources to mitigate data exfiltration risks, not to manage IAM policies or service account key creation. Option C is wrong because Security Command Center is a security and risk management platform that provides threat detection and vulnerability findings, but it does not enforce preventive policies like disabling key creation. Option D is wrong because IAM conditions allow you to define conditional, attribute-based access to resources (e.g., based on time, IP address, or resource tags), but they cannot prevent the creation of service account keys themselves.

79
MCQhard

A company needs to respond to a GDPR data subject deletion request for a user's data stored across BigQuery and Cloud Storage. The data must be completely erased upon request. What is the most effective approach to ensure compliance?

A.Use Cloud DLP to identify the user's data across services, delete the data using API calls, and verify deletion with Cloud Audit Logs
B.Set up BigQuery time-based table expiration and Cloud Storage lifecycle policies with a 1-day deletion rule
C.Use Cloud Identity-Aware Proxy to block the user's access and mark the data as deleted
D.Enable Access Transparency logs and request Google to delete the data on their behalf
AnswerA

Cloud DLP discovers data locations, deletion APIs remove data, and audit logs confirm deletion, meeting GDPR requirements.

Why this answer

Option A is correct because Cloud DLP can be used to inspect and classify the user's data across BigQuery and Cloud Storage, then you can programmatically delete the identified data via API calls. Cloud Audit Logs provide a verifiable record that the deletion was performed, which is essential for demonstrating compliance with GDPR's right to erasure.

Exam trap

Google Cloud often tests the misconception that access control mechanisms (like IAP) or automated lifecycle policies can substitute for actual data deletion, but GDPR requires complete erasure of the specific data subject's information, not just blocking access or delayed removal.

How to eliminate wrong answers

Option B is wrong because time-based table expiration and lifecycle policies are automated deletion mechanisms that cannot target a specific user's data on demand; they delete entire tables or objects based on age, not in response to an individual deletion request. Option C is wrong because Cloud Identity-Aware Proxy controls access but does not delete data; marking data as deleted without actual erasure fails GDPR's requirement for complete removal. Option D is wrong because Access Transparency logs only provide visibility into Google's access to your data, and requesting Google to delete data on your behalf is not a supported mechanism for customer-managed data in BigQuery or Cloud Storage.

80
MCQmedium

A security engineer runs the above query in BigQuery and finds a column containing Social Security Numbers (SSNs). They must ensure that all SSNs in the dataset are automatically encrypted at rest using customer-managed keys (CMEK) and also that future queries do not expose SSNs to users without decryption access. Which approach should they take?

A.Use BigQuery with CMEK on the dataset and create a separate table with encrypted columns.
B.Use Cloud DLP to de-identify the data in the table and then restrict access to the de-identified column.
C.Use Cloud KMS to encrypt the column values and store the encrypted data in BigQuery.
D.Enable CMEK on the dataset, create an authorized view that excludes the sensitive column, and grant view access to users.
AnswerD

CMEK secures data at rest, and authorized views limit exposure.

Why this answer

Option D is correct because enabling CMEK on the dataset ensures all data, including SSNs, is encrypted at rest with customer-managed keys. Creating an authorized view that excludes the sensitive column and granting view access to users prevents exposure of SSNs in query results while still allowing access to non-sensitive data. This approach meets both the encryption and access control requirements without requiring manual encryption or de-identification.

Exam trap

Google Cloud often tests the misconception that manual encryption (e.g., Cloud KMS or DLP) is required for column-level protection, when in fact BigQuery's native CMEK combined with authorized views provides automatic encryption at rest and access control without custom encryption logic.

How to eliminate wrong answers

Option A is wrong because creating a separate table with encrypted columns does not automatically encrypt existing SSNs at rest; CMEK on the dataset encrypts all data at rest, but the separate table approach adds complexity and does not prevent future queries from exposing SSNs unless access is restricted. Option B is wrong because Cloud DLP de-identifies data (e.g., masking or tokenization) but does not encrypt at rest with CMEK; it also does not prevent users with direct table access from querying the original SSNs if the de-identified column is separate. Option C is wrong because using Cloud KMS to encrypt column values and storing encrypted data in BigQuery requires manual encryption/decryption logic in queries, which is error-prone and does not leverage BigQuery's native CMEK for automatic encryption at rest; it also fails to prevent exposure if users have access to the raw encrypted data.

81
MCQhard

A healthcare organization is migrating sensitive patient data to Google Cloud and must comply with HIPAA. They plan to use Cloud SQL for MySQL with CMEK for encryption at rest. The security team is concerned about key management and access logging. Which additional measure should be implemented to meet HIPAA audit requirements?

A.Configure VPC Service Controls to restrict access to the Cloud SQL instance.
B.Use Cloud DLP to de-identify the data before storing it in Cloud SQL.
C.Enable Data Access audit logs for the Cloud SQL instance and Cloud KMS key.
D.Store the CMEK keys in Cloud HSM to meet FIPS 140-2 Level 3 requirements.
AnswerC

Data Access audit logs record all accesses to data and keys, satisfying HIPAA audit trail requirements.

Why this answer

Option C is correct because HIPAA audit requirements mandate that access to protected health information (PHI) and the keys protecting it must be logged. Enabling Data Access audit logs on both the Cloud SQL instance and the Cloud KMS key captures read, write, and administrative operations, providing the necessary audit trail for compliance. Without these logs, the organization cannot demonstrate who accessed the data or the encryption keys, which is a core HIPAA requirement.

Exam trap

Google Cloud often tests the distinction between security controls that prevent access (like VPC Service Controls or HSM) and controls that provide auditability (like Data Access audit logs), leading candidates to pick a security measure that does not fulfill the specific audit requirement.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls restrict data exfiltration and access boundaries but do not generate the detailed audit logs required by HIPAA for tracking access to PHI and encryption keys. Option B is wrong because Cloud DLP de-identifies data before storage, which can reduce compliance scope but does not address the audit logging requirement for key management and data access. Option D is wrong because storing CMEK keys in Cloud HSM meets FIPS 140-2 Level 3 for key security but does not provide the access logging needed to satisfy HIPAA audit requirements.

82
Multi-Selecteasy

A company must ensure that all data stored in Google Cloud remains within specific geographic regions to meet data residency regulations. Which TWO methods enforce data location restrictions? (Choose TWO.)

Select 2 answers
A.VPC Service Controls
B.Cloud Data Loss Prevention scan
C.Organization Policy constraints (constraints/gcp.resourceLocations)
D.Cloud Storage bucket custom locations (e.g., US, EU)
E.Cloud Interconnect
AnswersC, D

This policy limits resource creation to specified locations, enforcing data residency.

Why this answer

Option C is correct because Organization Policy constraints, specifically `constraints/gcp.resourceLocations`, allow administrators to define a list of allowed geographic locations (e.g., `in:us-central1` or `in:europe-west1`) where Google Cloud resources can be created. This policy is enforced at the project, folder, or organization level, preventing resource creation outside the permitted regions, which directly addresses data residency requirements.

Exam trap

Google Cloud often tests the distinction between data location enforcement (Organization Policy constraints) and data access control (VPC Service Controls), causing candidates to mistakenly choose VPC Service Controls for geographic restrictions.

83
MCQmedium

A company is deploying a multi-region application in Cloud Run and must comply with data residency requirements in the European Union (EU). They want to ensure that only EU-based Cloud Run instances are created. Which approach should they use?

A.Add a label to the Cloud Run service specifying the region and rely on developers to follow it.
B.Set an Organization Policy with constraints/gcp.resourceLocations to restrict allowed regions to EU regions.
C.Use VPC Service Controls to limit access to the Cloud Run service from outside the EU.
D.Configure VPC Firewall rules to only allow egress to EU IP addresses.
AnswerB

This policy will prevent creation of Cloud Run services outside the allowed regions.

Why this answer

Option B is correct because Organization Policies with the `constraints/gcp.resourceLocations` constraint allow administrators to enforce a list of allowed Google Cloud regions for resource creation. By setting this policy to include only EU-based regions (e.g., `europe-west1`, `europe-west4`), the company ensures that Cloud Run instances cannot be created outside the EU, directly meeting data residency compliance requirements. This is a preventive control that applies at the project or folder level, overriding any developer choices.

Exam trap

The trap here is that candidates confuse network-level controls (VPC Service Controls, Firewall rules) with resource location enforcement, thinking that restricting access or egress to EU IPs is equivalent to ensuring resources are physically created in EU regions.

How to eliminate wrong answers

Option A is wrong because relying on labels and developer discipline is not an enforceable compliance control; labels are metadata and do not prevent resource creation in non-EU regions. Option C is wrong because VPC Service Controls restrict data exfiltration and access to services from outside a VPC perimeter, but they do not restrict the geographic location where Cloud Run instances are created; they control network access, not resource placement. Option D is wrong because VPC Firewall rules control network traffic based on IP addresses, not the location of resource creation; they cannot prevent a Cloud Run service from being deployed in a non-EU region, and EU IP ranges do not map cleanly to region-based compliance requirements.

84
Matchingmedium

Match each Cloud KMS key purpose to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encrypt and decrypt

Public key encrypt, private key decrypt

Private key signs, public key verifies

Periodically generate new key material

Bring your own key (BYOK) into Cloud KMS

Why these pairings

These are different key purposes and features in Cloud KMS.

85
MCQhard

A financial institution is subject to GDPR and requires encryption at rest for all data in Cloud Storage. They want to use CMEK but also need to log all key access events. Which combination of services meets both requirements with least effort?

A.Use Cloud HSM to protect keys, and enable Cloud Audit Logs for Cloud HSM.
B.Use CMEK with Cloud KMS and set key rotation every 30 days.
C.Use CSEK (customer-supplied encryption keys) and enable Cloud Audit Logs for all services.
D.Use CMEK with Cloud KMS and enable Cloud Audit Logs with Data Access audit logs for Cloud KMS.
AnswerD

CMEK uses Cloud KMS keys; Data Access logs record all key operations for compliance.

Why this answer

Option B is correct because Cloud KMS keys can be used with Cloud Storage via CMEK, and Cloud Audit Logs automatically log key access via Data Access audit logs. Option A is wrong because CSEK is deprecated. Option C is wrong because Cloud HSM is a hardware-backed key management, but the key access logs are still in Cloud Audit Logs.

Option D is wrong because rotating keys is not required for compliance; logging access is.

86
MCQmedium

A company uses Cloud Audit Logs for compliance. They want to capture all data access events to a Cloud Storage bucket containing sensitive data. What must they enable?

A.System Event audit logs
B.Admin Activity audit logs
C.Access Transparency logs
D.Data Access audit logs with a configuration to log all methods
AnswerD

Data Access audit logs must be enabled for Cloud Storage to record both read and write operations.

Why this answer

Data Access audit logs record API calls that read or modify customer data, such as reading objects from a Cloud Storage bucket. To capture all data access events, including reads and writes, you must enable Data Access audit logs and configure them to log all methods (not just admin methods). This ensures compliance by recording every access to the sensitive data.

Exam trap

Google Cloud often tests the distinction between Admin Activity logs (which log configuration changes) and Data Access logs (which log data reads/writes), and candidates mistakenly assume Admin Activity logs cover data access.

How to eliminate wrong answers

Option A is wrong because System Event audit logs capture non-data-access events like GCP system actions (e.g., automatic resource scaling), not user or service access to data. Option B is wrong because Admin Activity audit logs only record configuration changes (e.g., creating or deleting a bucket), not data reads or writes. Option C is wrong because Access Transparency logs provide visibility into Google personnel access to your data, not customer or application data access events.

87
MCQmedium

A healthcare startup is using Google Cloud to process Protected Health Information (PHI) for a clinical study. They are HIPAA-compliant and use Cloud Storage with CMEK. They also use BigQuery to run analytics on de-identified data. The security team notices that some PHI data appears in BigQuery query results. Upon investigation, they find that a data engineer created a BigQuery table that directly references the Cloud Storage bucket containing PHI without using the de-identification pipeline. The startup needs to prevent any direct access to Cloud Storage from BigQuery unless it goes through the pipeline. They also need to ensure that any new datasets are automatically subject to the same restrictions. What should they do?

A.Enable Access Transparency logs and set up alerts for any direct access to Cloud Storage.
B.Use DLP API to automatically de-identify data in Cloud Storage before BigQuery reads it.
C.Use IAM conditions to restrict access to the Cloud Storage bucket only from the service account used by the pipeline.
D.Create a VPC Service Control perimeter around the pipeline project, and use an organization policy to require that Cloud Storage buckets be in a perimeter.
AnswerD

VPC Service Controls block direct access from BigQuery to Cloud Storage unless both are in the same perimeter.

Why this answer

Option D is correct because VPC Service Controls create a security perimeter around the pipeline project, preventing data exfiltration and unauthorized access to Cloud Storage from BigQuery unless the request originates from within the perimeter. The organization policy requiring Cloud Storage buckets to be in a perimeter ensures that any new datasets are automatically subject to the same restrictions, enforcing the de-identification pipeline as the only allowed path.

Exam trap

Google Cloud often tests the distinction between detective controls (logging) and preventive controls (perimeters), leading candidates to choose logging or IAM-based solutions that cannot enforce the 'no direct access' requirement across all new datasets.

How to eliminate wrong answers

Option A is wrong because Access Transparency logs only provide audit logs of access, not preventive controls; they cannot block direct access from BigQuery to Cloud Storage. Option B is wrong because the DLP API de-identifies data but does not enforce access control policies; it would require manual integration and does not automatically restrict new datasets. Option C is wrong because IAM conditions can restrict access to a specific service account, but they do not prevent BigQuery from directly referencing the Cloud Storage bucket if the service account used by BigQuery has permissions; they also do not automatically apply to new datasets.

88
Multi-Selecthard

Which THREE are capabilities of Assured Workloads? (Choose three.)

Select 3 answers
A.Location-based access controls through VPC Service Controls
B.Cloud Shell for browser-based terminal access
C.Cloud Interconnect for dedicated connectivity
D.Access Transparency logs for Google personnel actions
E.Customer-managed encryption keys (CMEK) support
AnswersA, D, E

Assured Workloads can enforce perimeters using VPC Service Controls.

Why this answer

Assured Workloads is a Google Cloud service that helps customers meet compliance requirements (e.g., FedRAMP, PCI DSS) by enforcing a set of security and data residency controls. Option A is correct because VPC Service Controls can be used to create a perimeter around the workload, restricting data access based on location (e.g., only allowing access from within a specific VPC or IP range), which is a key capability for compliance. Option D is correct because Access Transparency logs provide detailed logs of actions taken by Google personnel on customer data, which is critical for audit and compliance.

Option E is correct because Customer-Managed Encryption Keys (CMEK) allow customers to control the encryption keys used to protect their data, a fundamental requirement for many compliance frameworks.

Exam trap

Google Cloud often tests the distinction between general Google Cloud services (like Cloud Shell or Cloud Interconnect) and the specific compliance-enforcing capabilities of Assured Workloads, leading candidates to select broadly useful features that are not part of the Assured Workloads service itself.

89
Multi-Selectmedium

A financial institution must meet SOX compliance requirements for audit trail integrity. Which THREE measures should they implement to ensure Cloud Audit Logs are immutable and securely stored?

Select 3 answers
A.Use VPC Service Controls to prevent exfiltration of logs.
B.Use customer-managed encryption keys (CMEK) with Cloud KMS for audit logs.
C.Export logs to Cloud Storage and apply a retention policy with a lock.
D.Set up Cloud IAM roles to restrict who can read audit logs.
E.Store logs in a Cloud Logging bucket with a retention policy locked via the Logs Retention API.
AnswersB, C, E

CMEK ensures only authorized keys can decrypt logs.

Why this answer

Option B is correct because using customer-managed encryption keys (CMEK) with Cloud KMS ensures that audit logs are encrypted with keys under the customer's control, preventing unauthorized decryption even by Google. This satisfies SOX requirements for data integrity and confidentiality, as the logs cannot be tampered with or accessed without the key.

Exam trap

Google Cloud often tests the distinction between access control (IAM, VPC Service Controls) and immutability (retention locks, CMEK), leading candidates to confuse preventing unauthorized access with preventing tampering or deletion.

90
MCQmedium

A pharmaceutical company uses Google Cloud to process clinical trial data subject to HIPAA. They must ensure that only authorized applications can access the data, even if credentials are compromised. Which security control should they implement?

A.Use Workload Identity Federation to allow workloads to access data without service account keys.
B.Use service account impersonation with IAM conditions to restrict access to specific trusted applications.
C.Create a VPC Service Control perimeter that allows only specific service accounts to access the data.
D.Require users to MFA and use IAM roles to grant access.
AnswerB

Impersonation with conditions limits the use of service accounts to specific callers, reducing blast radius.

Why this answer

Option B is correct because service account impersonation with IAM conditions allows the company to bind access to specific trusted applications by requiring that the caller present a specific service account identity. Even if credentials are compromised, the attacker cannot impersonate that service account unless they also satisfy the IAM conditions (e.g., resource tags, IP ranges, or application identity). This directly addresses the requirement to restrict access to authorized applications only, as per HIPAA's minimum necessary standard.

Exam trap

The trap here is that candidates confuse authentication (who you are) with authorization (what you can do) and pick MFA or VPC perimeters, missing that the question explicitly requires application-level restriction even after credential compromise, which only impersonation with conditions provides.

How to eliminate wrong answers

Option A is wrong because Workload Identity Federation eliminates the need for service account keys but does not restrict access to specific applications; it only authenticates external workloads without keys, so a compromised credential could still be used from any federated identity. Option C is wrong because VPC Service Controls create a security perimeter around resources but do not enforce application-level authorization; they block data exfiltration based on network context, not application identity. Option D is wrong because MFA and IAM roles authenticate users, not applications; if a user's credentials are compromised, the attacker can still access data from any application the user has permission to use, failing the 'only authorized applications' requirement.

91
Multi-Selecthard

A company needs to comply with the General Data Protection Regulation (GDPR). They are using BigQuery to store personal data. Which THREE measures should they implement to meet GDPR requirements?

Select 3 answers
A.Enable audit logs via Cloud Audit Logs to track access to personal data.
B.Use Cloud KMS to encrypt individual columns containing personal data.
C.Store data in a multi-region location like 'EU' to ensure availability across regions.
D.Use Cloud DLP to classify and de-identify sensitive columns before loading into BigQuery.
E.Enable data deletion by using DML statements to remove personal data when requested.
AnswersA, D, E

Audit logs are necessary for demonstrating compliance.

Why this answer

Option A is correct because Cloud Audit Logs provide a comprehensive, immutable record of all administrative and data access activities in BigQuery, which is essential for demonstrating GDPR compliance through accountability and traceability. By enabling audit logs, the company can track who accessed personal data, when, and from where, fulfilling the GDPR requirement to maintain records of processing activities.

Exam trap

Google Cloud often tests the misconception that encryption (like Cloud KMS) is a primary GDPR measure for BigQuery, when in reality BigQuery's default encryption already meets encryption requirements, and the focus should be on access control, auditability, and data lifecycle management.

92
MCQeasy

A company needs to store PII in Google Cloud and comply with GDPR data residency requirements. What is the primary Google Cloud feature to enforce data residency?

A.Organization policies
B.Cloud Data Loss Prevention
C.Cloud KMS
D.VPC Service Controls
AnswerD

VPC Service Controls allow you to create perimeters that restrict data movement and access based on location, supporting data residency compliance.

Why this answer

VPC Service Controls (option D) is the primary Google Cloud feature to enforce data residency because it allows you to define perimeters that restrict data movement and access to specific Google Cloud services within a chosen region. By creating a VPC Service Controls perimeter, you can prevent data from being copied or accessed outside of the allowed geographic boundaries, directly addressing GDPR data residency requirements. This is achieved through context-aware access policies that block egress of data to unauthorized regions, even if an attacker gains access to a project.

Exam trap

Google Cloud often tests the misconception that Organization policies (option A) are sufficient for data residency, but in reality, they only restrict resource creation locations, not data movement or access, which is why VPC Service Controls is the correct answer for enforcing residency at the data plane level.

How to eliminate wrong answers

Option A is wrong because Organization policies are used to set constraints on resource usage (e.g., restricting resource locations or disabling service creation), but they do not enforce data residency by controlling data movement or access at the network level; they are a higher-level governance tool, not a data residency enforcement mechanism. Option B is wrong because Cloud Data Loss Prevention (DLP) is designed to inspect, classify, and de-identify sensitive data (like PII) but does not enforce geographic restrictions on where data can be stored or processed; it focuses on data protection, not residency. Option C is wrong because Cloud KMS manages encryption keys for data at rest and in transit but has no capability to restrict data to a specific region or prevent data from leaving a geographic boundary; it is a key management service, not a data residency control.

93
MCQhard

A financial services company is migrating to Google Cloud and needs to meet SOX compliance. They have a production project containing a Cloud SQL instance with financial transactions. They must ensure that all database changes are logged, and logs are immutable for 7 years. They enabled Cloud Audit Logs for Cloud SQL and created a log sink to export Admin Activity logs to Cloud Storage. However, during a quarterly audit, the auditor cannot find logs for some SELECT queries that accessed sensitive columns. The company expected these SELECT queries to appear in audit logs because they enabled Data Access audit logs for Cloud SQL. You discover that the Data Access audit logs were enabled at the project level, but the log sink only exports Admin Activity logs. Additionally, auditors require that logs cannot be deleted before the retention period. What should you do?

A.Enable VPC Flow Logs and export them to Cloud Storage with a 7-year retention policy.
B.Export logs to BigQuery with table expiration of 7 years and use IAM to restrict deletion.
C.Enable Data Access audit logs at the Cloud SQL instance level and export them to a separate Cloud Storage bucket with a 7-year retention policy.
D.Modify the log sink to include Data Access audit logs and update the Cloud Storage bucket to have a 7-year retention policy and object holds.
AnswerD

This ensures all audit logs are exported and immutable for the required period.

Why this answer

Option D is correct because the root cause is that the log sink is configured to export only Admin Activity logs, while the missing SELECT queries are Data Access audit logs. By modifying the log sink to include Data Access audit logs, those queries will be exported. Additionally, setting a 7-year retention policy and object holds on the Cloud Storage bucket ensures logs are immutable and cannot be deleted before the retention period ends, meeting SOX compliance requirements.

Exam trap

Google Cloud often tests the misconception that enabling audit logs at the resource level (e.g., Cloud SQL instance) is sufficient, when in fact the log sink export filter must be explicitly configured to include the desired log types, and immutability requires both retention policy and object holds on the storage destination.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata, not database query logs, and they do not address the missing SELECT queries or the log sink configuration. Option B is wrong because exporting to BigQuery with table expiration does not provide immutable storage; BigQuery tables can be deleted or modified by authorized users, and the requirement is for immutable logs in Cloud Storage. Option C is wrong because enabling Data Access audit logs at the instance level is unnecessary (they are already enabled at the project level), and exporting to a separate bucket does not fix the core issue that the log sink is not exporting Data Access logs; also, object holds are not mentioned, which are needed for immutability.

94
Multi-Selecthard

A global e-commerce company must comply with GDPR and CCPA. They use BigQuery to store customer data and need to ensure that when a user requests data deletion, all copies are deleted within 30 days. Additionally, they want to minimize storage costs. Which TWO actions should they take?

Select 2 answers
A.Use the DDL statement to drop the table after 30 days using a scheduled query.
B.Create a Cloud Function to export the data before deletion.
C.Set a table retention policy of 30 days using ALTER TABLE SET OPTIONS.
D.Set the Time Travel window to 7 days and the Fail-safe storage window to 23 days.
E.Use BigQuery continuous backups with a 30-day retention.
AnswersA, D

Scheduled query to drop table after 30 days ensures data deletion while minimizing costs.

Why this answer

Option A is correct because using a DDL statement (e.g., DROP TABLE) in a scheduled query allows you to delete the entire table after exactly 30 days, ensuring all data copies (including storage and any snapshots) are removed. This directly meets the GDPR/CCPA deletion requirement while minimizing storage costs by not retaining data beyond the mandated period.

Exam trap

Google Cloud often tests the misconception that BigQuery has a direct table retention policy (like ALTER TABLE SET OPTIONS) when in reality, retention is managed through time travel and fail-safe storage windows, not a table-level option.

95
Drag & Dropmedium

Drag and drop the steps to configure a Cloud NAT for private VM instances in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud NAT requires a Cloud Router, NAT gateway creation, subnet assignment, private VM configuration, and testing.

96
MCQmedium

A healthcare organization is migrating to Google Cloud and needs to ensure that all data stored in Cloud Storage is encrypted at rest with customer-managed encryption keys (CMEK) to meet HIPAA requirements. The security team wants to centrally manage key rotation and access. Which solution should they implement?

A.Use Cloud Data Loss Prevention (DLP) to de-identify data before storing.
B.Use Cloud Hardware Security Module (Cloud HSM) with CMEK.
C.Use Cloud Key Management Service (Cloud KMS) with CMEK and enable key rotation.
D.Use customer-supplied encryption keys (CSEK) stored in Cloud Storage.
AnswerC

Cloud KMS provides centralized key management, rotation, and integrates with Cloud Storage for CMEK.

Why this answer

Option C is correct because Cloud KMS with CMEK allows the organization to centrally manage encryption keys, including automated key rotation, while maintaining customer control over the keys used to encrypt Cloud Storage data. This meets HIPAA requirements for encryption at rest with customer-managed keys, as Cloud KMS integrates directly with Cloud Storage to enforce encryption using the specified key.

Exam trap

The trap here is that candidates may confuse Cloud HSM with Cloud KMS, thinking that HSM is required for HIPAA compliance, but Cloud KMS with CMEK alone satisfies the requirement for customer-managed keys and key rotation without the added cost and complexity of HSM.

How to eliminate wrong answers

Option A is wrong because Cloud DLP is used for de-identification and masking of sensitive data, not for managing encryption keys or providing encryption at rest with customer-managed keys. Option B is wrong because Cloud HSM is a hardware-based key management service that can be used with CMEK, but it is an additional service that provides FIPS 140-2 Level 3 compliance, not a requirement for HIPAA; the question asks for a solution to centrally manage key rotation and access, which Cloud KMS alone provides without the need for HSM. Option D is wrong because CSEK requires customers to supply their own encryption keys and manage them outside of Google Cloud, which does not provide centralized key rotation and access management within Google Cloud; CSEK keys are stored in Cloud Storage, which introduces security risks and operational overhead.

97
Multi-Selectmedium

A company wants to audit all changes to IAM policies in their organization. They need to set up logging to capture these changes. Which TWO steps should they take? (Choose TWO.)

Select 2 answers
A.Enable Admin Activity audit logs for each individual project.
B.Enable System Event audit logs for the organization.
C.Enable Data Access audit logs for the organization.
D.Enable Admin Activity audit logs for the organization.
E.Configure a log sink to export these logs to BigQuery for analysis.
AnswersD, E

Admin Activity logs record IAM policy changes.

Why this answer

Admin Activity audit logs record operations that modify the configuration or metadata of resources, such as IAM policy changes. Enabling Admin Activity audit logs at the organization level captures these changes across all projects within the organization, providing a centralized audit trail. This is the correct step because IAM policy modifications are classified as admin activity, not system events or data access.

Exam trap

Google Cloud often tests the distinction between audit log types, and the trap here is that candidates confuse System Event logs (which handle infrastructure events) with Admin Activity logs, or assume that enabling logs per project is equivalent to enabling them at the organization level.

98
Multi-Selectmedium

A company must enforce that no data can be accessed from outside a specific set of Google Cloud projects. They want to ensure that only authorized services can communicate between projects. Which TWO controls should they implement? (Choose TWO.)

Select 2 answers
A.Access Context Manager
B.VPC Service Controls
C.Cloud Armor
D.Identity-Aware Proxy (IAP)
E.Cloud NAT
AnswersA, B

Access Context Manager defines and manages context-aware access policies that can be used with VPC Service Controls to enforce access based on context.

Why this answer

VPC Service Controls create a perimeter around resources, and Access Context Manager defines context-aware access policies based on attributes like IP range, device policy, etc.

99
MCQmedium

A financial services company is required to retain audit logs for at least 7 years to comply with PCI-DSS. They have enabled Data Access audit logs for Cloud Audit Logs. However, after 6 months they notice that older logs are being automatically deleted. What is the most likely cause?

A.The default retention period for Cloud Audit Logs is 30 days, and logs are automatically deleted after that.
B.The log sink exporting to Cloud Storage has been deleted.
C.The log sink filter is incorrectly excluding certain log entries.
D.An IAM policy has revoked the Logs Viewer role for the security team.
AnswerA

Cloud Audit Logs have a default retention of 30 days (for Admin Read and Data Access) unless exported to a longer-term storage.

Why this answer

The default retention period for Cloud Audit Logs is 30 days. After this period, logs are automatically deleted unless a custom retention policy is configured or logs are exported to a long-term storage destination like Cloud Storage. Since the company enabled Data Access audit logs but did not adjust the retention setting, the logs older than 30 days are purged, explaining the 6-month observation.

Exam trap

Google Cloud often tests the misconception that log deletion is caused by misconfigured exports or IAM permissions, when in fact the default retention period for Cloud Audit Logs is the primary reason for automatic deletion, especially for Data Access audit logs.

How to eliminate wrong answers

Option B is wrong because deleting a log sink that exports to Cloud Storage would stop new logs from being exported, but it would not cause existing logs in Cloud Audit Logs to be automatically deleted; the default retention deletion is independent of sink configuration. Option C is wrong because an incorrectly excluding sink filter would affect which logs are exported, not the retention or deletion of logs already stored in Cloud Audit Logs. Option D is wrong because revoking the Logs Viewer role for the security team would prevent them from viewing logs, but it would not cause logs to be automatically deleted; deletion is governed by retention policies, not IAM permissions.

100
MCQmedium

A retail company processes customer payment data and must comply with PCI DSS. They use Cloud SQL for database storage. They need to ensure that all database backups are encrypted at rest. What should they do?

A.Use Cloud HSM to generate a key and store in Cloud Storage for backup encryption.
B.Enable Cloud DLP to inspect and encrypt backup data.
C.No additional action required; Cloud SQL automatically encrypts backups.
D.Use Cloud KMS to create a CMEK key and attach it to the Cloud SQL instance.
AnswerC

Cloud SQL encrypts all data at rest by default.

Why this answer

C is correct because Cloud SQL automatically encrypts all data at rest, including backups, using either Google-managed encryption keys or customer-managed encryption keys (CMEK) if configured. No additional action is required to enable backup encryption by default, as this is a built-in feature of the service to meet PCI DSS compliance requirements.

Exam trap

Google Cloud often tests the misconception that you must explicitly enable or configure encryption for Cloud SQL backups, when in fact Google Cloud automatically encrypts all data at rest by default, including backups, using server-side encryption.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module for key generation and management, but it does not directly encrypt backups; keys must be used with Cloud KMS or Cloud External Key Manager, and storing keys in Cloud Storage is not the correct mechanism for backup encryption. Option B is wrong because Cloud DLP is a data loss prevention service for inspecting and de-identifying sensitive data, not for encrypting backups at rest. Option D is wrong because while Cloud KMS with CMEK can be attached to a Cloud SQL instance to encrypt data and backups, it is an optional configuration, not a required action; the question asks what they 'should do' to ensure encryption, and the default encryption already satisfies the requirement.

101
MCQeasy

A company needs to meet compliance requirements that mandate they be notified about all actions performed by Google personnel on their data. Which Google Cloud feature should they enable?

A.Cloud Asset Inventory
B.Access Approval
C.Cloud Audit Logs for Admin Activities
D.Access Transparency
AnswerD

Access Transparency provides near real-time logs of actions by Google staff, satisfying compliance notification requirements.

Why this answer

Access Transparency logs provide records of actions taken by Google staff on customer data, fulfilling compliance notification requirements. It must be enabled at the organization level.

102
MCQeasy

A company has a single Google Cloud project with multiple VPC networks. They need to comply with PCI DSS requirement 1.3.2, which restricts inbound and outbound traffic to only what is necessary. They have a web application running on Compute Engine instances in a VPC with a public subnet and a private subnet. The web servers in the public subnet need to communicate with database servers in the private subnet. Currently, the security engineer has configured firewall rules to allow HTTP/HTTPS traffic from the internet to the web servers, and allow all traffic from the public subnet to the private subnet. The auditor flags that the rule allowing all traffic from the public subnet to the private subnet is too permissive. What should the security engineer do to meet the requirement while maintaining functionality?

A.Use VPC Service Controls to restrict access to the database instances.
B.Remove the firewall rule allowing all traffic from the public subnet to the private subnet, and rely on the default allow internal rule.
C.Change the existing rule to allow traffic only on ports 3306 and 443 from the public subnet to the private subnet.
D.Create a new firewall rule that allows TCP traffic on port 3306 (MySQL) from the web servers' service accounts to the database servers' IP ranges.
AnswerD

This restricts traffic to only the necessary port and source, meeting PCI DSS requirement.

Why this answer

Option D is correct because it implements a least-privilege firewall rule that restricts traffic to only the necessary MySQL port (3306) and uses service accounts as the source identity, which aligns with PCI DSS requirement 1.3.2. By specifying the web servers' service accounts as the source and the database servers' IP ranges as the destination, the rule ensures only authorized web server instances can initiate database connections, rather than allowing all traffic from the entire public subnet. This maintains the required functionality while eliminating the overly permissive 'allow all' rule.

Exam trap

The trap here is that candidates often assume VPC Service Controls (Option A) can restrict instance-to-instance traffic, or they mistakenly think the default allow internal rule (Option B) is subnet-specific, when in reality it applies to all instances in the VPC, and they may also overlook that allowing HTTPS (port 443) to database servers (Option C) is unnecessary and violates least privilege.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls is designed to prevent data exfiltration by controlling access to Google Cloud APIs and managed services, not to restrict network-layer traffic between Compute Engine instances within a VPC; it does not replace firewall rules for instance-to-instance communication. Option B is wrong because the default allow internal rule permits all traffic between any instances in the same VPC network, regardless of subnet, which would still allow overly broad access from the public subnet to the private subnet and fail to meet the least-privilege requirement. Option C is wrong because allowing traffic on port 443 (HTTPS) from the public subnet to the private subnet is unnecessary and introduces additional attack surface, as database servers typically do not serve HTTPS; only port 3306 (MySQL) is needed for the web-to-database communication.

103
Multi-Selectmedium

Which TWO actions should be taken to ensure that a Google Cloud environment meets PCI-DSS requirements for protecting cardholder data? (Choose two.)

Select 2 answers
A.Use IAM roles to restrict access to cardholder data to the minimum necessary.
B.Encrypt all transmission of cardholder data using TLS 1.2 or higher.
C.Use Cloud Data Loss Prevention to tokenize all credit card numbers before storage.
D.Implement a Web Application Firewall (WAF) such as Cloud Armor to protect against web-based attacks.
E.Enable automatic DLP inspection triggers for all Cloud Storage buckets.
AnswersB, D

PCI-DSS requirement 4.1 mandates encryption of cardholder data over public networks.

Why this answer

Option B is correct because PCI-DSS Requirement 4 mandates that cardholder data must be encrypted during transmission over open, public networks. TLS 1.2 or higher is the specified protocol, and Google Cloud services such as HTTPS load balancers and Cloud VPN support this encryption natively, ensuring compliance with the transmission security requirement.

Exam trap

Google Cloud often tests the distinction between encryption in transit (TLS) and data protection at rest (tokenization, DLP scanning), leading candidates to pick storage-focused options like C or E instead of the transmission encryption requirement.

104
Multi-Selecteasy

A company is deploying a new application that must comply with HIPAA. They are using Google Cloud services. Which TWO services are required to be enabled with appropriate configurations to support HIPAA compliance?

Select 2 answers
A.Cloud Key Management Service (KMS) with customer-managed keys (CMEK)
B.Cloud Armor
C.Cloud Audit Logs
D.Cloud Content Delivery Network (CDN)
E.Cloud Functions
AnswersA, C

CMEK is required by HIPAA for encryption key management documentation.

Why this answer

Cloud Key Management Service (KMS) with customer-managed encryption keys (CMEK) is required for HIPAA compliance because it allows the customer to control the encryption keys used to protect protected health information (PHI) at rest. HIPAA mandates that covered entities implement mechanisms to encrypt and decrypt PHI, and using CMEK ensures the customer retains sole control over key material, which is a key requirement for meeting the Security Rule's addressable implementation specification for encryption.

Exam trap

Google Cloud often tests the misconception that any security service (like Cloud Armor or Cloud CDN) is automatically required for HIPAA compliance, when in fact only services that directly enforce encryption key control and audit logging (Cloud Audit Logs) are mandatory under the HIPAA Security Rule's implementation specifications.

105
MCQhard

A multi-national company needs to ensure that customer data stored in BigQuery is encrypted with customer-managed encryption keys (CMEK) and that the keys are rotated every 90 days. Additionally, the company must be able to audit all key usage. Which steps are required to implement this compliance requirement?

A.Create a Cloud External Key Manager (EKM) key and configure BigQuery to use it. The EKM provider handles key rotation.
B.Create a Cloud KMS key ring with a key, disable automatic rotation, and use Cloud Functions to rotate the key manually every 90 days. Enable Admin Activity audit logs for Cloud KMS.
C.Create a Cloud KMS key ring with a key using a protection level of HSM and set a rotation period of 90 days. Then configure the BigQuery dataset to use this key.
D.Create a Cloud KMS key ring with a key using a protection level of software and set a rotation period of 90 days. Then configure BigQuery to use the key and enable Data Access audit logs for Cloud KMS.
AnswerD

Software keys are acceptable; rotation period in KMS handles automatic rotation. Enabling Data Access audit logs for KMS captures key usage.

Why this answer

Option D is correct because it uses a Cloud KMS software-protection-level key with a 90-day rotation period, which meets the CMEK requirement for BigQuery. Enabling Data Access audit logs for Cloud KMS captures all key usage events, satisfying the auditing requirement. Automatic rotation in Cloud KMS handles the 90-day rotation without manual intervention, and BigQuery is configured to use the CMEK key for dataset encryption.

Exam trap

Google Cloud often tests the distinction between Admin Activity audit logs (which record configuration changes) and Data Access audit logs (which record data operations like key usage), leading candidates to choose options that omit the required Data Access logging.

How to eliminate wrong answers

Option A is wrong because Cloud External Key Manager (EKM) uses an external key management provider, not customer-managed encryption keys (CMEK) within Google Cloud, and the question specifies CMEK, not EKM. Option B is wrong because it disables automatic rotation and uses Cloud Functions for manual rotation, which is unnecessary and error-prone; Cloud KMS supports automatic rotation with a specified period, and Admin Activity audit logs do not capture key usage events (only Data Access audit logs do). Option C is wrong because it uses a protection level of HSM, which is not required for CMEK compliance; a software protection level is sufficient and more cost-effective, and the option does not mention enabling Data Access audit logs for auditing key usage.

106
Multi-Selectmedium

A multinational company is migrating sensitive workloads to Google Cloud and must comply with GDPR data residency requirements. Which TWO actions ensure data remains stored only within the European Union? (Choose TWO.)

Select 2 answers
A.Enable Cloud Audit Logs with export to a BigQuery dataset in the EU region.
B.Use Cloud Data Loss Prevention (DLP) to scan for sensitive data and verify it remains in the EU.
C.Use Customer-Managed Encryption Keys (CMEK) stored in a Cloud KMS key ring located in the EU.
D.Define an Organization Policy with constraints/gcp.resourceLocations to allow resource creation only in EU regions.
E.Set up VPC Service Controls to create a service perimeter that includes only EU regions.
AnswersD, E

This directly enforces data location by restricting resource deployment to approved regions.

Why this answer

Option D is correct because the Organization Policy constraint `gcp.resourceLocations` explicitly restricts the Google Cloud regions where resources can be created. By setting this constraint to allow only EU regions (e.g., `europe-west1`, `europe-west4`), you enforce that all new resources are provisioned within the European Union, directly meeting GDPR data residency requirements. This policy is evaluated at resource creation time and prevents any resource from being deployed outside the allowed locations.

Exam trap

Google Cloud often tests the distinction between data residency enforcement (which requires location-based constraints like Organization Policies or VPC Service Controls) and data protection mechanisms (like encryption, logging, or scanning), leading candidates to mistakenly choose options that protect data but do not control where it is stored.

107
MCQhard

A company is using Cloud SQL for MySQL to store customer data subject to SOX compliance. They need to ensure that all database changes are audited and that logs are immutable. They have enabled audit logs and exported them to a Cloud Storage bucket. However, the auditor discovers that some logs were deleted from the bucket. What is the most likely cause?

A.The log sink filter is excluding certain events, causing incomplete export.
B.The bucket has retention policy enabled, which prevents deletion until the retention period expires.
C.The service account used for export does not have the storage.objects.delete permission.
D.The Cloud Storage bucket has a lifecycle rule that deletes objects after a set number of days.
AnswerD

If a lifecycle rule is set to delete objects, logs can be automatically removed, violating immutability requirements.

Why this answer

Option D is correct because Cloud Storage lifecycle rules can automatically delete objects after a specified number of days. If a lifecycle rule is configured on the bucket, it would delete audit logs regardless of the export process, making them unavailable to the auditor. This is the most likely cause of logs being deleted from the bucket, as the other options do not explain actual deletion of already-exported objects.

Exam trap

Google Cloud often tests the distinction between features that prevent deletion (retention policies, lock) versus features that cause deletion (lifecycle rules), and candidates mistakenly assume that enabling audit logs or exporting to a bucket guarantees immutability without considering bucket-level configurations.

How to eliminate wrong answers

Option A is wrong because a log sink filter controls which log entries are exported to the bucket, not the deletion of objects already stored in the bucket; missing events would not cause existing logs to be deleted. Option B is wrong because a retention policy prevents object deletion or overwrite until the retention period expires, so it would protect logs from deletion, not cause it. Option C is wrong because the service account used for export needs storage.objects.create permission to write logs, not storage.objects.delete; lacking delete permission would not cause logs to be deleted.

108
MCQeasy

A healthcare organization is migrating applications to Google Cloud and must comply with HIPAA. They plan to store protected health information (PHI) in Cloud Storage and BigQuery. The security engineer needs to ensure that all access to PHI is logged and that the data is encrypted at rest with customer-managed keys. The organization also requires that any audit logs containing PHI are stored in a separate project with restricted access. Which course of action meets all requirements?

A.Enable Data Access audit logs for Cloud Storage and BigQuery, and store logs in the same project. Use CMEK for encryption.
B.Use VPC Service Controls to create a perimeter around the project, and enable CMEK for encryption.
C.Enable Admin Read audit logs for Cloud Storage and BigQuery, and store logs in a different project. Use CSEK for encryption.
D.Enable Data Access audit logs for Cloud Storage and BigQuery, create a sink to route logs to a BigQuery dataset in a separate project, and use CMEK in the data project.
AnswerD

All requirements are met: logging enabled, logs stored separately with restricted access, and CMEK used.

Why this answer

Option D is correct because it meets all requirements: Data Access audit logs capture every access to PHI, a sink routes those logs to a BigQuery dataset in a separate project (fulfilling the separate-project storage requirement), and CMEK (customer-managed encryption keys) ensures encryption at rest with keys controlled by the organization. This combination satisfies HIPAA logging, encryption, and restricted-access log storage mandates.

Exam trap

Google Cloud often tests the distinction between Admin Read and Data Access audit logs, and the trap here is that candidates confuse Admin Read (which logs only admin actions) with Data Access (which logs all data access), leading them to choose Option C despite it failing the logging requirement.

How to eliminate wrong answers

Option A is wrong because storing audit logs in the same project as the PHI violates the requirement that logs containing PHI be stored in a separate project with restricted access. Option B is wrong because VPC Service Controls provide data exfiltration prevention but do not enable logging of access to PHI (no audit log configuration) and do not address the separate-project log storage requirement. Option C is wrong because Admin Read audit logs only record administrative actions, not data access (reads/writes), and CSEK (customer-supplied encryption keys) is deprecated in favor of CMEK and does not meet the customer-managed key requirement.

← PreviousPage 2 of 2 · 108 questions total

Ready to test yourself?

Try a timed practice session using only Gcp Compliance questions.