PCSE · topic practice

Ensuring data protection practice questions

Practise Google Professional Cloud Security Engineer Ensuring data protection practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Ensuring data protection

What the exam tests

What to know about Ensuring data protection

Ensuring data protection questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Ensuring data protection exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Ensuring data protection questions

20 questions · select your answer, then reveal the explanation

A company stores sensitive customer data in Cloud Storage. They want to ensure that data is encrypted at rest using customer-managed encryption keys (CMEK) and that access to the key is audited. Which approach should they use?

A security engineer needs to protect sensitive data in BigQuery. The data includes columns with personally identifiable information (PII). They want to automatically mask PII data for users with the role 'analyst' but allow full access for 'admin' users. Which approach should they use?

A company is using Cloud SQL for MySQL to store financial data. They need to ensure that all data is encrypted at rest and in transit. What should they do?

A company is migrating on-premises data to Cloud Storage. They have regulatory requirements to encrypt data using keys managed by their on-premises hardware security module (HSM). Which solution should they use?

A company has a Cloud Storage bucket containing sensitive data. They want to ensure that only users with specific IAM roles can access the bucket, and that access is logged for audit purposes. They also want to prevent public access. Which configuration steps should they take?

A company is using Cloud Data Loss Prevention (DLP) to inspect and de-identify sensitive data in Cloud Storage. They want to classify data using infoTypes and apply de-identification techniques. Which TWO actions should they take?

A company uses BigQuery to store sensitive data and wants to implement data masking using policy tags. They have three user groups: data_engineers (full access), data_analysts (masked PII), and data_scientists (masked financial data). Which THREE steps should they take?

A security engineer runs the command in the exhibit. The command fails with an error: 'Permission denied: cryptoKeyVersions.encrypt'. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
gcloud kms encrypt \
  --location=global \
  --keyring=my-keyring \
  --key=my-key \
  --plaintext-file=secret.txt \
  --ciphertext-file=secret.enc
```

A security engineer reviews the IAM policy for a Cloud Storage bucket as shown in the exhibit. Alice reports that she cannot upload objects to the bucket, while Bob can view objects. What is the most likely issue?

Exhibit

Refer to the exhibit.

```
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "user:bob@example.com"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "user:alice@example.com"
      ]
    }
  ]
}
```

A company stores sensitive customer data in Cloud Storage and uses CMEK with Cloud KMS. They want to ensure that data in transit to the storage bucket is always encrypted using TLS 1.2 or higher. Which configuration should they implement?

A healthcare organization stores PHI in BigQuery tables with row-level access policies. They need to ensure that data is automatically de-identified when exported to Cloud Storage for analytics. What is the most scalable solution with minimal manual intervention?

A company uses Cloud KMS to protect encryption keys for their Cloud SQL databases. They want to rotate keys every 30 days and ensure that old keys are retained for at least 90 days. What is the recommended approach?

Which TWO actions should a security engineer take to protect sensitive data in Cloud Storage buckets from accidental public exposure? (Choose two.)

Which THREE steps are required to implement field-level encryption for sensitive columns in a Cloud SQL for PostgreSQL database using Cloud KMS? (Choose three.)

Refer to the exhibit. A security engineer runs this command to check bucket permissions. What is the most significant security issue?

Exhibit

Resource: bucket 'my-data-bucket'
  IAM policy:
  - role: roles/storage.objectViewer
    members:
    - user:alice@example.com
    - domain:example.com
  - role: roles/storage.legacyBucketReader
    members:
    - allUsers
  Uniform bucket-level access: disabled
  ACLs:
  - entity: allUsers
    role: READER
Question 16mediummulti select
Read the full NAT/PAT explanation →

You are a security engineer for a healthcare organization. You need to protect sensitive patient data stored in Cloud Storage. You want to ensure that data is encrypted at rest using a customer-managed key (CMEK) and that access to the key is logged. You also need to prevent data exfiltration by limiting which service accounts can decrypt data. Which TWO steps should you take? (Choose two.)

Refer to the exhibit. You are analyzing the IAM policy for a project. You need to ensure that only authenticated users can access objects in bucket1 under the prefix "reports/". Which of the following statements is correct?

Exhibit

IAM policy for project my-project:

bindings:
- members:
  - user:alice@example.com
  - serviceAccount:sa-1@my-project.iam.gserviceaccount.com
  role: roles/storage.objectViewer
  condition:
    expression: resource.name.startsWith("projects/_/buckets/bucket1/objects/reports/")
- members:
  - user:bob@example.com
  role: roles/storage.objectAdmin
- members:
  - user:bob@example.com
  role: roles/compute.admin
- members:
  - serviceAccount:sa-1@my-project.iam.gserviceaccount.com
  role: roles/iam.workloadIdentityUser
- members:
  - serviceAccount:my-project@appspot.gserviceaccount.com
  role: roles/storage.objectAdmin

Your company runs a data analytics platform on Google Cloud that processes sensitive financial data. Data is ingested from various sources into a Cloud Storage bucket, then processed by Dataflow jobs, and final results are stored in BigQuery. You have implemented the following security controls: - VPC Service Controls perimeter around the project - Cloud KMS CMEK for all storage services - IAM conditions restricting access based on tags - Cloud Audit Logs enabled for all services

Recently, an auditor discovered that a compromised service account was able to read data from the Cloud Storage bucket even though it was outside the VPC Service Controls perimeter. The auditor reviewed the logs and found that the access came from a Compute Engine instance that was running within the same project. What is the most likely reason the VPC Service Controls perimeter did not block this access?

Drag and drop the steps to rotate a customer-managed encryption key (CMEK) in Cloud KMS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to configure a security scanner to scan a web application in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Ensuring data protection sessions

Start a Ensuring data protection only practice session

Every question in these sessions is drawn from the Ensuring data protection domain — nothing else.

Related practice questions

Related PCSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCSE exam test about Ensuring data protection?
Ensuring data protection questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Ensuring data protection questions in a focused session?
Yes — the session launcher on this page draws every question from the Ensuring data protection domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCSE topics?
Use the topic links above to move to related areas, or go back to the PCSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCSE exam covers. They are not copied from any real exam or dump site.