CCNA Pcse Compliance Questions

75 questions · Pcse Compliance topic · All types, answers revealed

1
MCQhard

A company is implementing GDPR compliance and wants to ensure that personal data is pseudonymized in BigQuery. They plan to use Cloud DLP to tokenize data before loading. Which approach should they take to minimize changes to existing SQL queries?

A.Use Cloud Dataflow to tokenize the data during ingestion into BigQuery.
B.Use Cloud DLP integration with BigQuery via SQL functions like `DLP_TOKENIZE`.
C.Use Cloud KMS to encrypt the data at rest.
D.Use Cloud Functions to tokenize data after loading into BigQuery.
AnswerB

BigQuery's `DLP_TOKENIZE` function allows pseudonymization at query time, minimizing changes to existing SQL.

Why this answer

BigQuery has built-in functions like `DLP_TOKENIZE` that can be used in SQL queries to tokenize data on the fly without changing the schema. This allows pseudonymization while preserving the ability to query. Pre-processing with Dataflow would change the way data is stored and require modifications to queries.

Using Cloud Functions adds complexity. Cloud KMS does not tokenize.

2
MCQmedium

A company needs to store financial records for 7 years to meet regulatory requirements. They want to ensure that once written, the records cannot be modified or deleted by anyone, including cloud administrators. Which Cloud Storage feature should they enable?

A.Lifecycle management rules
B.Object Retention Lock with a locked retention policy
C.Object Versioning
D.Customer-Managed Encryption Keys (CMEK)
AnswerB

Object Retention Lock enforces a WORM policy; once locked, objects cannot be deleted or overwritten for the specified duration.

Why this answer

Object Retention Lock with a retention policy enforces a WORM (Write Once, Read Many) policy. Once a retention policy is locked, objects cannot be deleted or overwritten until the retention period expires, even by project owners. Bucket Lock (which is part of Object Retention Lock) makes the retention policy immutable.

Object Versioning allows multiple versions but does not prevent deletion. CMEK provides encryption control, not immutability. Lifecycle management automates deletion, which is opposite of what is needed.

3
MCQhard

A company wants to enforce that all Cloud Storage buckets created in their organization have a retention policy for compliance. If a bucket is created without a retention policy, it should be automatically remediated. Which approach should they use?

A.Use an Organization Policy with a constraint to require a retention policy on all buckets and use Cloud Asset Inventory to enforce remediation.
B.Use Cloud DLP to scan buckets and add retention policies automatically.
C.Use Security Command Center to find non-compliant buckets and manually apply retention policies.
D.Use Cloud Audit Logs to detect bucket creation and trigger a Cloud Function to set a retention policy.
AnswerA

Organization policies can enforce the requirement, and Cloud Asset Inventory can detect violations and trigger remediation via Cloud Functions.

Why this answer

Organization policies with a constraint can enforce that all buckets have a retention policy. However, if a bucket is created without one, Cloud Asset Inventory can detect the violation and trigger a Cloud Function to apply a default retention policy.

4
MCQeasy

A financial institution is required to retain records of all transactions for 7 years under regulatory compliance. They are using Cloud Storage for archive data and need to ensure that objects cannot be deleted or overwritten during the retention period. Which feature should they use?

A.Object lifecycle management
B.Bucket-level IAM conditions
C.Bucket-level versioning
D.Retention Policy with Retention Lock
AnswerD

Retention Policy with a locked retention period prevents object deletion or modification, meeting the 7-year WORM requirement.

Why this answer

Cloud Storage Object Retention Lock with a retention policy enforces a WORM (Write Once Read Many) state, preventing object deletion or modification for a specified duration. This meets regulatory retention requirements.

5
Multi-Selecthard

A healthcare company stores de-identified patient data in BigQuery for analytics. They must comply with HIPAA and ensure that re-identification is not possible. They also need to be able to join data on a per-patient basis for longitudinal studies. Which TWO strategies should they implement? (Choose 2)

Select 2 answers
A.Use Cloud DLP to mask patient identifiers consistently across all tables.
B.Apply differential privacy to all queries using the Differential Privacy library in BigQuery.
C.Enable BigQuery column-level security to restrict access to identifiers.
D.Store patient identifiers in a separate, access-controlled dataset and join using SQL.
E.Use Cloud DLP to tokenize patient identifiers with a consistent token.
AnswersA, E

Consistent masking (e.g., hashing) allows joins while protecting identities.

Why this answer

Tokenization or consistent masking allows longitudinal joins while de-identifying data. Other methods either risk re-identification or break join capability.

6
MCQmedium

A healthcare organization is required to protect Protected Health Information (PHI) stored in Cloud Storage. They want to automatically detect and redact PHI before storing it. Which Google Cloud service should they use?

A.Cloud Armor
B.Cloud Data Loss Prevention (DLP)
C.VPC Service Controls
D.Security Command Center
AnswerB

Cloud DLP provides built-in detectors for PHI and can be configured to automatically redact or de-identify data in Cloud Storage, meeting HIPAA requirements.

Why this answer

Cloud DLP can inspect Cloud Storage buckets for sensitive data like PHI and redact or de-identify it automatically using its inspect and transform pipeline.

7
Multi-Selectmedium

A company is implementing a data retention policy to comply with regulatory requirements. They need to retain certain BigQuery data for 7 years and ensure it cannot be deleted before the retention period ends. Which THREE steps should they take? (Choose three.)

Select 3 answers
A.Set a retention policy on the BigQuery dataset to prevent accidental deletion.
B.Use IAM conditions to restrict who can delete the dataset or table.
C.Use Cloud KMS to encrypt the data and destroy the key after 7 years.
D.Export the data to Cloud Storage and enable Bucket Lock with a 7-year retention policy.
E.Enable object lifecycle management to delete data after 7 years.
AnswersA, B, D

BigQuery dataset retention policies can help protect against deletion.

Why this answer

BigQuery does not have native retention locks like Cloud Storage. One approach is to export data to Cloud Storage and apply a retention policy with Bucket Lock. For data that remains in BigQuery, you can use IAM conditions to restrict deletion, set dataset retention policies, and use Cloud Audit Logs to monitor deletion attempts.

Deleting the dataset after 7 years can be automated via lifecycle rules in Cloud Storage, but the question asks for steps to prevent premature deletion.

8
Multi-Selectmedium

A company is migrating a PCI DSS-compliant application to GCP. They need to meet encryption requirements for cardholder data. Which TWO options satisfy PCI DSS encryption requirements? (Choose two.)

Select 2 answers
A.Use SHA-1 for SSL certificates.
B.Use Cloud External Key Manager (EKM) with a supported partner.
C.Use default Google encryption keys (Google-managed) for data at rest.
D.Use TLS 1.2 for data in transit.
E.Use TLS 1.0 for data in transit.
AnswersB, D

Cloud EKM allows use of customer-managed keys from an external key manager, meeting PCI DSS encryption requirements.

Why this answer

PCI DSS requires strong encryption; TLS 1.2+ is required for data in transit, and CMEK for data at rest provides customer-managed keys that meet compliance.

9
MCQhard

A company is using Assured Workloads to meet EU data residency requirements (EU_REGIONS_AND_SUPPORT). They want to monitor compliance drift when changes are made to the environment. Which service should they use?

A.Cloud Audit Logs
B.Cloud Monitoring
C.Assured Workloads Compliance Monitoring
D.Cloud Security Command Center
AnswerC

Assured Workloads includes a compliance monitoring capability that detects configuration changes that could cause drift from the compliance regime.

Why this answer

Assured Workloads Compliance Monitoring (part of Assured Workloads) continuously monitors the environment for compliance with the selected regime (e.g., data residency). It alerts on drift. Alternatively, Cloud Security Command Center (Cloud SCC) can be used, but the question asks for monitoring compliance drift specifically.

The built-in monitoring in Assured Workloads is the correct answer.

10
MCQhard

A financial institution is deploying a payment application on GKE that must comply with PCI DSS. They need to isolate the cardholder data environment (CDE) from other workloads and ensure only authorized services can communicate. Which combination of controls should they implement?

A.Use Cloud Armor to inspect all traffic and block non-compliant requests.
B.Use a separate VPC and VPC Service Controls perimeter for the CDE, and apply Kubernetes Network Policies to restrict pod communication.
C.Enable Data Loss Prevention to scan payment data and restrict access.
D.Deploy the CDE in a separate project and use IAM roles to restrict access.
AnswerB

Separate VPC for network isolation, VPC Service Controls to restrict data access to managed services, and Network Policies for pod-level segmentation align with PCI DSS requirements.

Why this answer

VPC Service Controls provide a perimeter that prevents data exfiltration from managed services, while GKE network policies enforce pod-level isolation. Both are recommended for PCI DSS CDE isolation.

11
MCQhard

A company using Assured Workloads with the FedRAMP High compliance regime wants to monitor for configuration changes that could cause the environment to become non-compliant. Which tool should they use to detect compliance drift?

A.Security Command Center
B.Cloud Monitoring
C.Assured Workloads Compliance Status dashboard
D.Cloud Asset Inventory
AnswerC

The Compliance Status dashboard within Assured Workloads shows current compliance status and alerts on drift.

Why this answer

Assured Workloads provides a Compliance Status dashboard that shows the compliance state of the folder. It monitors for policy violations and configuration drifts that could affect compliance. Security Command Center provides security posture, but not specifically compliance drift for Assured Workloads.

Cloud Monitoring monitors metrics, not compliance. Cloud Asset Inventory tracks resources but does not evaluate compliance against a regime.

12
MCQhard

A company is using Assured Workloads to enforce FEDRAMP_HIGH compliance. They need to ensure that only US-based personnel from Google can access their data. Which configuration setting within the Assured Workloads folder should they enable?

A.Access Transparency logs
B.Resource location restrictions
C.Google personnel access restrictions
D.Key Access Justification (KAJ) logs
AnswerC

This setting allows restricting Google personnel access based on geographic location, e.g., only US-based personnel.

Why this answer

Assured Workloads provides access restrictions that can limit Google personnel access based on geographic location. The 'Google personnel access restrictions' setting can be configured to restrict access to Google personnel located in specific countries, e.g., the United States. The compliance regime selection defines the overall framework, while resource location restrictions control where data is stored.

13
MCQhard

A company has deployed an application in Assured Workloads with the FEDRAMP_HIGH compliance regime. They need to ensure that Google Cloud personnel cannot access their data. Which additional control should they enable?

A.Enable Google personnel access restrictions
B.Enable Access Transparency logs
C.Enable CMEK for all services
D.Enable VPC Service Controls
AnswerA

This control, available in Assured Workloads, restricts Google employees from accessing the customer's data, meeting the requirement.

Why this answer

Assured Workloads for FedRAMP High includes the option to enable Google personnel access restrictions, which blocks Google employees from accessing the customer's data. This is a key control for FedRAMP High compliance.

14
MCQeasy

A company wants to encrypt data at rest in Cloud Storage using their own keys. Which Cloud service should they use to manage these keys?

A.Cloud Data Loss Prevention (Cloud DLP)
B.Cloud Key Management Service (Cloud KMS)
C.Secret Manager
D.Cloud HSM
AnswerB

Cloud KMS is the service for managing encryption keys.

Why this answer

Cloud Key Management Service (Cloud KMS) allows customers to create, rotate, and manage their own encryption keys. Cloud HSM provides hardware security module-backed keys, but Cloud KMS is the management service. Cloud DLP is for data loss prevention, and Secret Manager is for storing secrets like API keys.

15
MCQmedium

A company processes personal data of European Union residents on GCP. They need to ensure that data processing is limited to specific purposes and that data subjects can exercise their rights (access, rectification, erasure). Which actions should they take to comply with GDPR?

A.Use Assured Workloads with EU Regions and Support and enable Access Transparency.
B.Enable data encryption with CMEK and sign a DPA with Google.
C.Sign a DPA with Google, implement data subject request workflows, and use Cloud DLP to classify personal data.
D.Enable VPC Service Controls and restrict data access to EU regions.
AnswerC

DPA is required; data subject rights must be supported; DLP helps identify personal data for compliance actions.

Why this answer

To comply with GDPR, the company must sign a Data Processing Agreement (DPA) with Google, implement data subject rights (like deletion), and document processing purposes. Encryption is encouraged but not a specific GDPR requirement listed in the options.

16
MCQeasy

Which Google Cloud compliance certification is most relevant for a company that processes credit card transactions and needs to demonstrate secure handling of cardholder data?

A.SOC 2 Type II
B.PCI DSS
C.ISO 27001
D.FedRAMP
AnswerB

PCI DSS is the standard for handling credit card data.

Why this answer

PCI DSS is the Payment Card Industry Data Security Standard, specifically for organizations that handle credit card data. ISO 27001 is an information security management standard, SOC reports are for service organization controls, and FedRAMP is for federal cloud computing.

17
MCQmedium

A company handles Controlled Unclassified Information (CUI) and needs to deploy a workload that complies with ITAR (International Traffic in Arms Regulations). They plan to use Assured Workloads. Which compliance regime should they select when creating the Assured Workloads folder?

A.FEDRAMP_HIGH
B.CJIS
C.ITAR
D.IL4
AnswerC

ITAR is the correct regime for workloads subject to International Traffic in Arms Regulations.

Why this answer

For ITAR compliance, the correct regime is 'ITAR'. Assured Workloads supports multiple regimes including FedRAMP, HIPAA, and ITAR. Selecting ITAR enforces controls like personnel access restrictions and data location.

18
Multi-Selecthard

A company uses Assured Workloads with the FEDRAMP_HIGH regime. They want to enforce resource location restrictions and restrict Google personnel access. Which TWO capabilities should they enable? (Choose two.)

Select 2 answers
A.Data residency restrictions in the Assured Workloads folder.
B.VPC Service Controls.
C.Access Transparency logs.
D.Google personnel access restrictions.
E.Cloud KMS to manage encryption keys.
AnswersA, D

Data residency ensures resources are created only in allowed regions, meeting location restrictions.

Why this answer

Assured Workloads provides data residency controls to ensure resources are deployed in specific regions, and it offers Google personnel access restrictions to limit support access to authorized personnel. Access Transparency logs actions but does not restrict. VPC Service Controls are separate from Assured Workloads.

Cloud KMS is for key management.

19
Multi-Selectmedium

A company is designing a PCI DSS-compliant environment on Google Cloud. They need to isolate the cardholder data environment (CDE) and log all access to it. Which THREE actions should they take? (Choose 3)

Select 3 answers
A.Place all CDE resources in a dedicated VPC.
B.Use VPC Service Controls to create a perimeter around the CDE project.
C.Enable Data Access audit logs for all CDE services.
D.Use Cloud Load Balancing with SSL policies to enforce TLS 1.3.
E.Deploy Cloud Armor WAF to protect web applications in the CDE.
AnswersA, B, C

A dedicated VPC provides network isolation for the CDE.

Why this answer

Network segmentation (dedicated VPC), data exfiltration prevention (VPC Service Controls), and logging (Data Access audit logs) are key PCI DSS requirements for the CDE.

20
MCQhard

A multinational company is using Assured Workloads to meet EU_Regions_and_Support compliance. They need to ensure that only EU-based Google personnel can access the customer's data for support purposes. Which configuration should they enable?

A.Configure Access Transparency and log all support actions.
B.Turn on 'Access Approvals' and set personnel restrictions to EU.
C.Enable VPC Service Controls to restrict data movement.
D.Apply data residency restrictions in the Assured Workloads folder.
AnswerB

Access Approvals with personnel restrictions ensures that only Google personnel in the EU can access customer data for support.

Why this answer

Within Assured Workloads, the 'Google personnel access restrictions' option restricts support access to Google personnel located in specific regions. For EU regimes, this is set to EU. VPC Service Controls prevent data exfiltration but do not control personnel access.

Access Transparency logs show actions, but do not restrict them. Data residency restrictions keep data in specific regions but do not limit Google personnel access.

21
MCQhard

A company is deploying a PCI DSS-compliant application on Google Cloud. They need to ensure that the Cardholder Data Environment (CDE) is isolated from other resources and that only authorized services can communicate with it. Which combination of controls should they implement?

A.Enable Cloud NAT for outbound internet access from the CDE
B.Implement VPC Service Controls to define a perimeter around the CDE, and use VPC firewall rules to restrict traffic
C.Use Shared VPC with a single network for all environments
D.Use Cloud Armor as the only security measure
AnswerB

VPC Service Controls prevent data exfiltration, and firewall rules restrict network access. This isolates the CDE.

Why this answer

VPC Service Controls create a security perimeter around the CDE, preventing data exfiltration. VPC firewalls control network traffic, and Cloud Armor provides WAF protection. Together, they meet PCI DSS isolation and security requirements.

22
MCQhard

A company subject to EU GDPR must implement the right to erasure (right to be forgotten) for personal data stored in BigQuery audit logs. The logs include query text that may contain personally identifiable information (PII). What is the correct approach to anonymize or delete PII from BigQuery audit logs?

A.Use Cloud Logging's exclusion filter to prevent PII from being logged in the first place.
B.Enable BigQuery table snapshot and restore to a point before the data was logged.
C.Delete the entire BigQuery dataset containing audit logs when a deletion request is received.
D.Use Cloud DLP to scan and redact PII in the log entries as they are generated, and store redacted logs in BigQuery.
AnswerD

Cloud DLP can be used to inspect and redact sensitive data before storage, enabling compliance with erasure requests without losing log integrity.

Why this answer

Cloud DLP can inspect and redact PII in BigQuery tables, enabling compliance with erasure requests while maintaining audit records.

23
MCQeasy

Which Google Cloud service can automatically classify and de-identify sensitive data such as credit card numbers and health records before it is stored in Cloud Storage?

A.Cloud Audit Logs
B.Cloud Data Loss Prevention (Cloud DLP)
C.Cloud Key Management Service (Cloud KMS)
D.Cloud Asset Inventory
AnswerB

Cloud DLP inspects and de-identifies sensitive data before storage.

Why this answer

Cloud Data Loss Prevention (DLP) is a service that inspects content for sensitive data types (e.g., credit card numbers, PHI) and can de-identify (mask, tokenize, etc.) that data. Cloud KMS manages encryption keys, Cloud Audit Logs records activities, and Cloud Asset Inventory tracks resources.

24
MCQeasy

A company must implement a data retention policy that prevents any modification or deletion of stored log files for 5 years. Which Cloud Storage feature should they use?

A.Lifecycle management rules
B.Object versioning
C.Bucket locking with a retention policy
D.Object Retention Lock
AnswerC, D

This is the same as Object Retention Lock; the official term is Retention Policy on a bucket. (Note: Both C and D are essentially correct, but the question expects one answer. In the context of GCP, 'Object Retention Lock' is the feature name.)

Why this answer

Object Retention Lock allows you to set a retention policy on a bucket that prevents object deletion or modification until the retention period expires. This is a WORM (Write Once, Read Many) capability.

25
Multi-Selecthard

A financial institution needs to comply with GDPR data subject rights. They must ensure that personal data in BigQuery can be anonymized for analytics while still allowing joins on pseudonymized identifiers. Which THREE services or features should they consider? (Choose 3)

Select 3 answers
A.Cloud Functions
B.Cloud KMS
C.Cloud Dataflow
D.Cloud DLP
E.BigQuery SQL functions (e.g., DLP_TOKENIZE)
AnswersC, D, E

Cloud Dataflow can be used to pre-process data with pseudonymization before loading into BigQuery.

Why this answer

Cloud DLP can be used to pseudonymize data (e.g., tokenize). BigQuery's SQL functions like `DLP_TOKENIZE` allow on-the-fly pseudonymization. Cloud Dataflow can be used to pre-process data.

Cloud KMS encrypts but does not pseudonymize. Cloud Functions can be used but is less integrated. Cloud Storage is for storage, not processing.

26
MCQhard

A company using BigQuery for analytics needs to comply with the right to be forgotten (erasure) under GDPR. A data subject requests deletion of their personal data. What is the correct approach to delete data from BigQuery audit logs that contain the data subject's information?

A.Export audit logs to Cloud Storage and configure a log sink to filter out or redact personal data before it is stored.
B.Use Cloud DLP to scan and redact the audit logs in place within BigQuery.
C.Use a DELETE statement on the audit logs table in BigQuery to remove the records.
D.Set a table expiration on the audit logs dataset to delete all logs after a short period.
AnswerA

This approach allows selective redaction or exclusion of personal data from the exported logs, enabling compliance with erasure requests.

Why this answer

BigQuery audit logs are immutable and cannot be deleted individually. The recommended approach is to export logs to Cloud Storage and use log sinks to filter out or redact personal data before storage.

27
Multi-Selecteasy

A company needs to comply with GDPR requirements for data subject rights. They must be able to provide data subjects with access to their personal data and rectify inaccuracies. Which TWO Google Cloud services can assist with these requirements? (Choose two.)

Select 2 answers
A.Cloud Data Loss Prevention (Cloud DLP)
B.BigQuery
C.Cloud Key Management Service (Cloud KMS)
D.Cloud Audit Logs
E.Cloud Storage
AnswersA, B

Cloud DLP helps discover and classify personal data, supporting access and rectification requests.

Why this answer

Cloud DLP can be used to locate and classify personal data across Google Cloud services, helping to fulfill data subject access requests. BigQuery can be used to query and analyze data, allowing retrieval of personal data for access requests. Cloud Audit Logs track access but do not provide data.

Cloud Storage is a storage service but does not directly assist with access/rectification. Cloud KMS is for key management.

28
MCQmedium

An organization handles ITAR-controlled data and must restrict Google personnel access to the underlying infrastructure. Which Google Cloud product should they use to enforce this restriction?

A.Assured Workloads
B.IAM Conditions
C.VPC Service Controls
D.Cloud HSM
AnswerA

Assured Workloads enforces compliance controls including Access Transparency and Access Approval to restrict and audit Google personnel access.

Why this answer

Assured Workloads includes Access Transparency and Access Approval controls to restrict Google personnel access. When creating an Assured Workload with ITAR regime, these controls are enabled by default.

29
MCQmedium

A company subject to GDPR receives a request from a data subject to delete all personal data from BigQuery audit logs. The logs contain query execution details with user identifiers. How can the company comply with the right to erasure (right to be forgotten)?

A.Create a log sink to export logs to Cloud Storage, then delete the sink and the exported objects
B.Use the Data Subject Request tool in Google Cloud to request erasure of the specific personal data from audit logs
C.Delete the entire BigQuery dataset containing the logs
D.Use Cloud DLP to redact personally identifiable information from the logs
AnswerB

Google provides a Data Subject Request mechanism to request deletion of personal data from logs. Customers cannot delete logs directly.

Why this answer

BigQuery audit logs (Cloud Audit Logs) are immutable and cannot be deleted directly by customers. To comply with erasure requests, the company must use the Data Subject Request tool to request removal, as Google retains logs for 30 days and may need to remove them.

30
MCQeasy

A company using Google Cloud wants to conduct a penetration test on their infrastructure. According to Google's acceptable use policy, what must they do before testing?

A.Create a separate VPC network for testing
B.Submit a request to Google support for each test
C.Ensure that the tests do not include Denial of Service (DoS) attacks
D.Enable VPC Flow Logs for monitoring
AnswerC

DoS attacks are prohibited without prior approval from Google. Other types of testing are allowed without notification.

Why this answer

Google's policy allows penetration testing on most services without prior approval, as long as the tests are not Denial of Service (DoS) attacks. This applies to common GCP services like Compute Engine, GKE, and Cloud Functions.

31
MCQmedium

A data subject requests the deletion of their personal data from a Google Cloud project under GDPR. This data is stored in BigQuery audit logs that are retained for 30 days by default. What is the correct approach to fulfill this request?

A.Use the BigQuery DELETE statement to remove the specific rows containing the data subject's information.
B.Submit a request to Google Cloud Support to remove the personal data from the logs.
C.Configure a log sink to exclude the data subject's audit logs and delete the existing logs by deleting the dataset that stores them.
D.Use a Data Loss Prevention (DLP) job to redact the personal data from the audit logs.
AnswerC

By configuring a log sink to filter out the data subject's logs, you can prevent future storage. To delete existing logs, you must delete the dataset or the log entries using the _required log bucket retention controls, but typically you delete the dataset.

Why this answer

BigQuery audit logs are immutable and cannot be modified or deleted individually. The right to be forgotten under GDPR requires deletion of personal data. The only way to comply is to delete the entire log entries or the dataset.

Since the logs are retained for 30 days, you must either delete the specific logs by using a log sink to filter and exclude, or you can delete the entire dataset. However, the simplest approach is to delete the logs after they are no longer needed, but you cannot delete specific rows from BigQuery audit logs. The correct approach is to delete the dataset containing the logs if the logs are no longer needed for compliance; otherwise, you must exclude the data subject's information from future logs and delete existing ones via log routing.

32
MCQeasy

A company wants to ensure that data stored in Cloud Storage is encrypted at rest using keys that they generate and manage on-premises. Which encryption method should they use?

A.Customer-Managed Encryption Keys (CMEK) using Cloud KMS
B.Google-managed encryption keys
C.Customer-Supplied Encryption Keys (CSEK)
D.Client-side encryption before uploading
AnswerC

CSEK allows you to supply your own encryption keys, which are used to encrypt data. You manage the keys on-premises.

Why this answer

Customer-Supplied Encryption Keys (CSEK) allow you to provide your own encryption keys for Cloud Storage objects. Google discards the key after encryption/decryption, and you manage the key lifecycle.

33
MCQeasy

Which of the following is a customer responsibility under the Google Cloud shared responsibility model?

A.Physical security of data centers
B.Encryption of data at rest and in transit
C.Hardware maintenance
D.Hypervisor security
AnswerB

Customers are responsible for encrypting their data, though Google provides tools to assist.

Why this answer

The shared responsibility model assigns physical security, hardware, and hypervisor security to Google; the customer is responsible for data encryption, IAM, network controls, and application security.

34
Multi-Selectmedium

A company needs to implement data pseudonymisation to comply with GDPR. They are using BigQuery for analytics. Which TWO services can help them pseudonymise data in transit before it enters BigQuery?

Select 2 answers
A.Cloud Dataflow
B.Cloud Data Loss Prevention (DLP)
C.Cloud Storage
D.Cloud SQL
E.Cloud Functions
AnswersA, B

Dataflow can read streaming data, apply DLP de-identification transforms, and write to BigQuery.

Why this answer

Cloud DLP can inspect and de-identify data, including pseudonymisation (e.g., tokenization, masking). Dataflow can process streaming data and apply transformations using DLP templates. Together, they can pseudonymise data before loading into BigQuery.

35
MCQmedium

An organization subject to GDPR receives a data subject request for erasure ('right to be forgotten'). The data subject's information is stored in BigQuery audit logs. What is the implication for the audit logs, and what should the organization do?

A.Use Cloud DLP to redact the personal data from the audit logs, and store the redacted version.
B.Delete the entire log bucket containing the audit logs.
C.Delete the BigQuery dataset containing the logs.
D.Edit the audit log entries directly using the Cloud Logging API.
AnswerA

Cloud DLP can redact personal data from logs, allowing you to comply with erasure requests while retaining the logs.

Why this answer

BigQuery audit logs are immutable by default for compliance reasons. You cannot delete individual entries. The recommended approach is to redact the personal data from the logs using Cloud DLP or to export logs to Cloud Storage and then delete the export.

Deleting the entire log sink would affect future logging but not existing logs. The logs cannot be edited.

36
Multi-Selectmedium

A multinational company must comply with GDPR and needs to ensure that personal data is processed in a manner that respects data subject rights. Which TWO of the following are required under GDPR? (Choose 2)

Select 2 answers
A.Delete personal data immediately upon request without any exceptions.
B.Store personal data only in the region where the data subject resides.
C.Provide data subjects with a copy of their personal data upon request (right of access).
D.Implement data protection by design and by default in all processing activities.
E.Encrypt all personal data at rest and in transit using AES-256 and TLS 1.3.
AnswersC, D

GDPR grants data subjects the right to obtain confirmation of processing and access to their data.

Why this answer

Right of access and privacy by design are explicit GDPR requirements. Other options are either too prescriptive or incorrect.

37
MCQmedium

A healthcare organization needs to ensure that all access to ePHI in Cloud SQL is logged for HIPAA compliance. They have enabled audit logs. What additional step is required to ensure logs are retained for at least one year?

A.Create a log sink to export the logs to Cloud Storage.
B.Enable Access Transparency logs.
C.Set a retention policy on the Cloud SQL instance.
D.Adjust the retention period in the Logs Explorer to 1 year.
AnswerA

Log sinks allow exporting logs to Cloud Storage where retention policies can be set for longer periods.

Why this answer

Cloud Audit Logs are retained by default for 30 days (or 400 days for some logs with the default retention in the _Required bucket). To retain logs for longer, you must create a log sink that exports logs to Cloud Storage (or BigQuery). Enabling Access Transparency logs is good but not necessary for retention.

Adjusting the retention period in the Logs Explorer is not possible; Logs Explorer only queries logs within the retention period.

38
MCQmedium

A company needs to retain audit logs for 7 years to meet compliance requirements. By default, Cloud Audit Logs are retained for 30 days. What should they do to retain the logs for 7 years?

A.Increase the default audit log retention period in the Logging settings to 7 years.
B.Enable Logging export to BigQuery and set table expiration to 7 years.
C.Use Cloud Functions to copy audit logs daily to Coldline Storage.
D.Create a log sink to export audit logs to a Cloud Storage bucket with a retention policy set to 7 years.
AnswerD

Log sinks can export logs to Cloud Storage, and bucket retention policies can enforce data retention for compliance duration.

Why this answer

Log Sinks can route logs to Cloud Storage Buckets, which support retention policies. Object Retention Lock can enforce WORM compliance if required.

39
Multi-Selecthard

A company is deploying a workload that must comply with FedRAMP High. They are using Assured Workloads. Which THREE controls are automatically enabled when they select the FEDRAMP_HIGH regime?

Select 3 answers
A.Google personnel access restrictions
B.Resource location restrictions (data must remain in the US)
C.VPC Service Controls
D.Compliance monitoring (continuous monitoring of compliance drift)
E.Cloud Armor WAF
AnswersA, B, D

Assured Workloads provides the option to restrict Google personnel access; it is a key control for FedRAMP High.

Why this answer

Assured Workloads for FedRAMP High enforces resource location restrictions (data must stay in the US), access controls (Google personnel access restrictions are available), and compliance monitoring (continuous compliance monitoring). These are key controls for FedRAMP High.

40
MCQmedium

A company is using BigQuery to store analytics data and wants to ensure that data is retained for exactly 365 days after ingestion, then automatically deleted. How can they achieve this with minimal operational overhead?

A.Use Cloud Storage Object Lifecycle rules on the data exported to Cloud Storage
B.Set the table expiration to 365 days using the ALTER TABLE SET OPTIONS statement
C.Create a Cloud Function to delete tables older than 365 days
D.Configure a BigQuery scheduled query to delete rows older than 365 days
AnswerB

Setting table expiration automatically deletes the table after 365 days, meeting the requirement with no manual intervention.

Why this answer

BigQuery datasets have a default table expiration setting, but for individual tables, you can set an expiration time. The most efficient way is to set the table expiration to 365 days, which auto-deletes the table after that period.

41
MCQmedium

A government contractor needs to deploy a workload on Google Cloud that complies with FedRAMP High and ITAR (International Traffic in Arms Regulations). They require that Google personnel cannot access the infrastructure and that data residency is restricted to the United States. Which Google Cloud solution should they use?

A.VPC Service Controls with Organization Policies restricting resource location to the US.
B.Cloud HSM with Customer-Managed Encryption Keys (CMEK) stored in a US key region.
C.Assured Workloads with the FEDRAMP_HIGH and ITAR compliance regimes, and enable Google personnel access restrictions.
D.Deploy the workload in a Google Cloud region only available to US government customers (us-gov-west1).
AnswerC

Assured Workloads supports combined compliance regimes and provides access controls to restrict Google personnel.

Why this answer

Assured Workloads provides a consolidated compliance framework that includes FedRAMP, ITAR, and access restrictions.

42
MCQhard

An organization is using Assured Workloads to enforce ITAR compliance. They need to ensure that all resources are deployed in specific US regions and that Google personnel access is restricted. They also want to monitor for any configuration changes that violate compliance policies. Which service should they use for monitoring compliance drift?

A.Cloud Asset Inventory
B.Assured Workloads compliance monitoring
C.Security Command Center
D.Cloud Monitoring
AnswerB

Assured Workloads includes built-in monitoring for compliance drift, alerting on policy violations.

Why this answer

Assured Workloads provides a compliance monitoring feature that alerts on policy violations, including resource location and access restrictions. Cloud Monitoring is for performance metrics, Cloud Asset Inventory tracks resources, and Security Command Center provides threat detection but not specific compliance drift monitoring for Assured Workloads.

43
Multi-Selecteasy

A company is subject to SOC 2 compliance and wants to demonstrate that they have implemented proper access controls on Google Cloud. Which TWO IAM best practices should they follow? (Choose two.)

Select 2 answers
A.Enable multi-factor authentication for all users.
B.Use only predefined roles to ensure consistency.
C.Enable Cloud Audit Logs to monitor access.
D.Use service accounts for human user access.
E.Grant the least privilege necessary using IAM roles.
AnswersA, E

MFA adds a layer of security to user accounts.

Why this answer

SOC 2 requires access controls. The principle of least privilege (granting minimal permissions) and enabling multi-factor authentication (MFA) are key IAM best practices. Using predefined roles is not always best; custom roles may be needed.

Service accounts are for applications, not user access. Cloud Audit Logs track access but are not an IAM best practice per se.

44
MCQmedium

A security engineer needs to run a penetration test against their Google Cloud environment. According to Google's Acceptable Use Policy, which of the following is true regarding penetration testing?

A.Penetration testing is not allowed against any Google Cloud resources.
B.Denial of Service (DoS) testing is allowed with prior notification to Google.
C.Penetration testing is allowed without prior approval for most services, but DoS attacks are prohibited.
D.All penetration tests require prior approval from Google Cloud Support.
AnswerC

Google's policy permits most penetration tests without prior approval, but DoS attacks are not allowed.

Why this answer

Google's policy allows customers to conduct penetration tests against their own infrastructure without prior approval for most services, provided the tests do not involve denial of service (DoS) attacks. DoS testing is explicitly prohibited without prior written approval. Testing other customers' resources is never allowed.

45
MCQmedium

A company needs to store audit logs for a minimum of 5 years to meet compliance requirements. Cloud Logging retains logs for 30 days by default. Which approach should they take?

A.Store logs in BigQuery and set table expiration to 5 years
B.Create a log sink to export logs to Cloud Storage, and use Object Lifecycle Management to delete objects after 5 years
C.Use Cloud Functions to periodically copy logs to a persistent disk
D.Enable the 'Log Retention' setting in Cloud Logging to 5 years
AnswerB

Log sink exports logs to Cloud Storage. Then, lifecycle rules can delete objects after 5 years, meeting the retention requirement.

Why this answer

To retain logs for longer than 30 days, you must create a log sink that exports logs to a destination like Cloud Storage, and then set a retention policy on the bucket. Cloud Storage's Object Lifecycle Management can delete objects after 5 years.

46
MCQeasy

Which Google Cloud service is specifically designed to help customers meet compliance requirements by creating a folder with pre-defined organization policies, resource location restrictions, and access controls?

A.VPC Service Controls
B.Assured Workloads
C.Cloud HSM
D.Security Command Center
AnswerB

Assured Workloads creates a folder with compliance controls, location restrictions, and access restrictions.

Why this answer

Assured Workloads automates the creation of a compliant environment with pre-configured controls.

47
MCQmedium

A security engineer needs to audit changes to IAM policies across their Google Cloud organization. Which audit log type should they enable to capture IAM policy changes?

A.Admin Activity audit logs
B.System Event audit logs
C.Data Access audit logs
D.Access Transparency logs
AnswerA

Admin Activity logs record configuration changes, including IAM policy modifications.

Why this answer

Admin Activity audit logs capture all API calls that modify configuration, including IAM policy changes.

48
MCQmedium

A healthcare organization is migrating to Google Cloud and needs to store Protected Health Information (PHI) in Cloud Storage. They have signed a Business Associate Agreement (BAA) with Google. Which additional step is REQUIRED to ensure HIPAA compliance for the data stored?

A.Use Customer-Managed Encryption Keys (CMEK) for the bucket.
B.Configure the bucket to be in a VPC with no public access.
C.Enable Object Versioning on the bucket.
D.No additional action is required; Cloud Storage is HIPAA-eligible and encrypts data at rest by default.
AnswerD

Cloud Storage is a HIPAA-eligible service. With a BAA in place and default encryption at rest, no further steps are strictly required for storage.

Why this answer

HIPAA requires encryption of PHI at rest. Cloud Storage automatically encrypts data at rest using Google-managed keys. Customers can optionally use CMEK, but CMEK is not required.

Enabling Object Versioning is not a HIPAA requirement. Configuring a VPC is a network control, not a specific HIPAA requirement for storage.

49
MCQmedium

A financial institution must store audit logs for 7 years to comply with PCI DSS requirements. By default, Cloud Audit Logs are retained for 30 days. What is the most cost-effective way to retain audit logs for 7 years?

A.Use Assured Workloads to automatically extend audit log retention to 7 years.
B.Create a log bucket with a retention period of 7 years using Log Analytics.
C.Configure a log sink to export logs to Cloud Storage with a retention policy set to 7 years using Object Lifecycle Management.
D.Increase the retention period for Cloud Audit Logs in the Logs Router to 7 years.
AnswerC

Exporting logs to Cloud Storage and setting a retention policy via lifecycle management is cost-effective and meets retention requirements.

Why this answer

To retain audit logs beyond Cloud Logging's 365-day max, export to Cloud Storage using a log sink and use Object Lifecycle Management to set a retention policy.

50
MCQeasy

Which Google Cloud service provides the ability to enforce data retention policies on Cloud Storage objects to prevent deletion or modification for a specified duration?

A.Cloud Storage Bucket Lock
B.VPC Service Controls
C.Cloud Storage Object Retention Lock
D.Cloud Storage Object Lifecycle Management
AnswerC

Object Retention Lock enforces a WORM (Write Once Read Many) policy, preventing deletion or modification.

Why this answer

Object Retention Lock uses retention policies and legal holds to comply with WORM requirements.

51
MCQmedium

A company is subject to PCI DSS and needs to protect a web application that processes credit card data. They want to block common web attacks such as SQL injection and cross-site scripting (XSS). Which Google Cloud service should they use?

A.Cloud Armor
B.Cloud NAT
C.Cloud CDN
D.Identity-Aware Proxy (IAP)
AnswerA

Cloud Armor provides WAF capabilities including preconfigured rules for SQLi and XSS, meeting the requirement.

Why this answer

Cloud Armor is a Web Application Firewall (WAF) that provides protections against OWASP Top 10 threats like SQL injection and XSS. It integrates with Cloud Load Balancing to filter traffic.

52
MCQhard

A multinational corporation uses Google Cloud and must comply with GDPR. They want to process personal data for a new purpose that was not originally disclosed to data subjects. What is the correct course of action under GDPR?

A.Anonymize the data before processing, as anonymized data is not subject to GDPR.
B.Rely on the existing DPA with Google, as it covers all processing activities.
C.Obtain explicit consent from the data subjects for the new processing purpose.
D.Proceed with the new processing as long as the data is pseudonymized.
AnswerC

Under GDPR, processing for a new purpose generally requires a new legal basis, such as explicit consent.

Why this answer

GDPR requires a valid legal basis for each processing purpose. For a new purpose, explicit consent is often required unless another basis applies.

53
MCQmedium

A government contractor needs to deploy workloads on GCP that meet FedRAMP High baseline requirements. They want to enforce resource location restrictions and access controls for Google personnel. Which product should they use?

A.Cloud Security Command Center
B.VPC Service Controls
C.Organization Policies
D.Assured Workloads
AnswerD

Assured Workloads creates a folder with built-in compliance controls, including resource location, personnel access, and encryption requirements for FedRAMP High.

Why this answer

Assured Workloads provides compliance-focused folders that enforce location restrictions, personnel access controls, and other controls specific to the chosen regime (e.g., FedRAMP High).

54
Multi-Selectmedium

A company is using Assured Workloads with the FEDRAMP_HIGH regime. They need to restrict where resources can be created and monitor for compliance violations. Which TWO settings should they configure? (Choose 2)

Select 2 answers
A.Access Transparency logs
B.Data residency controls
C.Resource location restrictions
D.Google personnel access restrictions
E.Compliance monitoring (drift detection)
AnswersC, E

This restricts resource deployment to allowed regions.

Why this answer

Resource location restrictions limit the regions where resources can be deployed. Compliance monitoring (or compliance drift monitoring) alerts when resources violate policies. Google personnel access restrictions control internal access, and Access Transparency logs provide logs.

Data residency is similar to resource location.

55
Multi-Selectmedium

A company is deploying a PCI DSS-compliant application on Google Cloud. They need to ensure that the cardholder data environment (CDE) is isolated and that only authorized services can communicate. Which TWO services should they use? (Choose 2)

Select 2 answers
A.Cloud IDS
B.Cloud Armor
C.Cloud NAT
D.VPC Service Controls
E.Cloud VPN
AnswersB, D

Cloud Armor is a WAF that protects the web application.

Why this answer

VPC Service Controls create a secure perimeter around the CDE resources, preventing data exfiltration. Cloud Armor provides web application firewall capabilities to protect the application. Cloud NAT is for outbound connectivity, Cloud IDS is for intrusion detection, and Cloud VPN is for site-to-site VPN, not isolation.

56
MCQeasy

A company that stores protected health information (PHI) in Google Cloud wants to run a BigQuery query to identify and classify sensitive data such as patient names and social security numbers. Which Google Cloud service should they use?

A.Cloud Audit Logs
B.Cloud Key Management Service (Cloud KMS)
C.Cloud Data Loss Prevention (Cloud DLP)
D.BigQuery's built-in data classification
AnswerC

Cloud DLP inspects and classifies sensitive data like PHI and PII.

Why this answer

Cloud Data Loss Prevention (Cloud DLP) is specifically designed to inspect, classify, and de-identify sensitive data. It can be used to scan BigQuery tables and other data sources for PHI, PII, and other sensitive content. Cloud Audit Logs track access, BigQuery itself does not classify data, and Cloud KMS manages encryption keys.

57
Multi-Selecthard

An organization must comply with ITAR regulations. They use Assured Workloads with the ITAR regime. Which THREE controls are automatically enforced by this regime? (Choose three.)

Select 3 answers
A.VPC Service Controls automatically configured
B.Use of Customer-Managed Encryption Keys (CMEK) for applicable services
C.Data residency in the US only
D.Cloud Audit Logs retention set to 10 years
E.Access Transparency and Access Approval enabled to restrict Google personnel access
AnswersB, C, E

CMEK is enforced for services that support it, ensuring customer control over encryption keys.

Why this answer

Assured Workloads for ITAR enforces data residency, personnel access restrictions, and encryption with CMEK. VPC Service Controls, while important, are not automatically enforced by the regime itself but can be added separately.

58
Multi-Selectmedium

A company subject to PCI DSS is building a cardholder data environment (CDE) on Google Cloud. They need to encrypt cardholder data at rest and in transit. Which THREE measures should they implement? (Choose three.)

Select 3 answers
A.Enforce TLS 1.2 or higher for data in transit.
B.Implement Cloud KMS to manage encryption keys.
C.Use Customer-Managed Encryption Keys (CMEK) for at-rest encryption.
D.Configure Cloud Armor WAF to inspect traffic.
E.Use VPC Service Controls to isolate the CDE.
AnswersA, B, C

TLS 1.2+ is required by PCI DSS for encrypting data in transit.

Why this answer

PCI DSS requires strong encryption. CMEK allows customer-managed keys for at-rest encryption. TLS 1.2 or higher encrypts data in transit.

Cloud KMS is used to manage encryption keys. Cloud Armor is a WAF, not encryption. VPC Service Controls provide network segmentation, not encryption.

Cloud HSM is a hardware-backed key storage, but the question asks for measures that encrypt data; CMEK, TLS, and Cloud KMS are directly related to encryption.

59
MCQmedium

A healthcare organization is migrating to Google Cloud and needs to store Protected Health Information (PHI) while maintaining HIPAA compliance. They have executed a Business Associate Agreement (BAA) with Google. Which additional step is required to ensure that PHI is properly classified and protected?

A.Enable Audit Logs for all services that process PHI.
B.Configure Cloud Armor to protect web applications handling PHI.
C.Enable VPC Service Controls and restrict access to Cloud Storage buckets containing PHI.
D.Use Cloud Data Loss Prevention (DLP) to inspect and classify storage buckets containing PHI.
AnswerD

Cloud DLP can inspect and classify sensitive data like PHI, helping the organization apply appropriate controls.

Why this answer

For HIPAA compliance, after signing a BAA, organizations must implement data classification. Cloud DLP provides the ability to discover and classify PHI across GCP services.

60
MCQmedium

A company is required to perform penetration testing on their Google Cloud infrastructure. According to Google Cloud's policy, which statement is true regarding penetration testing?

A.Customers must use Google's own penetration testing tools, such as Web Security Scanner.
B.No prior approval is needed for testing most services, but denial-of-service (DoS) attacks are not permitted.
C.Prior approval from Google is required for all penetration testing activities.
D.Penetration testing is prohibited on Google Cloud unless it is conducted by a certified third party.
AnswerB

Google's policy allows testing without prior approval for most services, but DoS attacks are explicitly prohibited.

Why this answer

Google Cloud's Acceptable Use Policy permits penetration testing on most services without prior approval, but DoS attacks are forbidden.

61
MCQeasy

A company needs to retain critical financial records for 7 years to comply with SEC regulations. They choose to store the records in Cloud Storage. Which feature should they enable to ensure the records cannot be deleted or overwritten before the retention period expires?

A.Enable bucket-level IAM conditions.
B.Configure an object lifecycle rule to delete objects after 7 years.
C.Use Cloud KMS to encrypt objects and destroy the key after 7 years.
D.Apply a retention policy and lock the bucket using Bucket Lock.
AnswerD

Retention policy with Bucket Lock enforces WORM compliance, making objects immutable until the retention period ends.

Why this answer

Object Retention Lock in Cloud Storage allows you to set a retention policy on a bucket, which uses a WORM (Write Once Read Many) model. Once an object is stored, it cannot be deleted or overwritten until the retention period expires. Bucket Lock locks the retention policy, preventing changes.

IAM conditions and lifecycle rules do not enforce immutability.

62
MCQmedium

A company needs to ensure that all data stored in Cloud Storage is encrypted at rest using keys that they generate and manage themselves. They also need to rotate the keys every 90 days. Which encryption option should they use?

A.Customer-supplied encryption keys (CSEK)
B.Cloud External Key Manager (Cloud EKM)
C.Google-managed encryption keys (GMEK)
D.Customer-managed encryption keys (CMEK) using Cloud KMS
AnswerD

CMEK allows customers to manage their own keys in Cloud KMS, including automatic rotation on a schedule.

Why this answer

CMEK gives customers control over key lifecycle, including automatic rotation every 90 days.

63
MCQmedium

A healthcare organization is migrating workloads to Google Cloud and needs to process Protected Health Information (PHI) under HIPAA. Which step is required before storing PHI in any GCP service?

A.Enable VPC Service Controls on all projects
B.Sign a Business Associate Agreement (BAA) with Google Cloud
C.Configure Cloud DLP to classify all data
D.Enable Cloud Audit Logs for all services
AnswerB

A BAA is a mandatory contractual agreement between the covered entity and Google Cloud, required before processing PHI.

Why this answer

HIPAA requires a Business Associate Agreement (BAA) with Google Cloud before processing or storing PHI. The organization must sign a BAA with Google, which provides assurances regarding the protection of PHI.

64
Multi-Selecthard

A company is designing a PCI DSS-compliant architecture on Google Cloud. They need to ensure that the cardholder data environment (CDE) is isolated from other environments and that all access to the CDE is logged. Which THREE controls should they implement? (Choose three.)

Select 3 answers
A.Separate VPC networks for the CDE and non-CDE environments.
B.Cloud NAT to allow outbound internet access from the CDE.
C.Cloud Armor WAF to protect web applications in the CDE.
D.Cloud Audit Logs for all services in the CDE.
E.VPC Service Controls to create a perimeter around the CDE.
AnswersA, D, E

Separate VPCs provide network-level isolation.

Why this answer

VPC Service Controls provide a security perimeter around the CDE, preventing data exfiltration. VPC networks provide network isolation. Cloud Audit Logs record all access to resources.

Cloud Armor is a WAF for inbound traffic. Cloud NAT provides outbound internet. Cloud KMS manages encryption keys.

65
MCQhard

A company must process credit card transactions on Google Cloud and achieve PCI DSS compliance. They want to minimize the scope of the cardholder data environment (CDE). Which architectural approach should they take?

A.Use separate VPCs for the CDE and non-CDE workloads, and connect them using VPC peering with firewall rules to restrict traffic.
B.Use a Shared VPC with a dedicated subnet for CDE resources and apply strict firewall rules.
C.Place all workloads in a single VPC and use Cloud Armor to protect the CDE.
D.Create a separate VPC for the CDE, and route traffic through a dedicated project with VPC Service Controls and Private Google Access.
AnswerD

A separate VPC isolates the CDE network. VPC Service Controls further protect data and reduce PCI scope.

Why this answer

Network segmentation is key to minimizing PCI DSS scope. A separate VPC for the CDE, combined with VPC Service Controls, isolates cardholder data.

66
MCQmedium

An organization wants to run a penetration test on their Google Cloud environment to validate security controls. According to Google's Acceptable Use Policy, which of the following is true regarding penetration testing?

A.Denial of Service (DoS) testing is permitted as long as it targets only customer-owned IPs.
B.All penetration tests require prior approval from Google Cloud support.
C.Customers can conduct penetration testing without prior approval, but must avoid DoS attacks.
D.Penetration testing is only allowed on Compute Engine, not on managed services like Cloud SQL.
AnswerC

Google allows penetration testing without prior approval for most services, but DoS testing is prohibited.

Why this answer

Google's Acceptable Use Policy allows customers to conduct penetration testing on their own infrastructure without prior approval for most services, but they prohibit denial of service (DoS) testing. Tests must follow the policy guidelines. No prior approval is needed, but DoS testing is forbidden.

67
Multi-Selectmedium

A company processes healthcare data and has signed a BAA with Google Cloud. They need to implement controls for HIPAA compliance. Which THREE actions should they take? (Choose three.)

Select 3 answers
A.Provide security awareness training to all workforce members.
B.Enable Customer-Managed Encryption Keys (CMEK) for all services.
C.Use Cloud Armor to protect the web application from DDoS attacks.
D.Ensure all covered services have access logging enabled for PHI access.
E.Use Cloud DLP to classify and de-identify PHI in Cloud Storage and BigQuery.
AnswersA, D, E

Workforce training is a requirement under the HIPAA Security Rule.

Why this answer

HIPAA requires workforce training, access logging for covered services, and data classification to identify PHI. CMEK is optional; Cloud Armor is for web application security but not specifically required by HIPAA.

68
Multi-Selectmedium

A company is implementing PCI DSS compliance on Google Cloud. They need to ensure that cardholder data is encrypted in transit and at rest. Which TWO encryption controls are required by PCI DSS?

Select 2 answers
A.Use TLS 1.2 or higher for all data in transit
B.Enable Cloud CDN
C.Use Cloud NAT
D.Enable VPC Flow Logs
E.Use CMEK for encryption of cardholder data at rest
AnswersA, E

PCI DSS requires strong transport encryption; TLS 1.2+ is the standard.

Why this answer

PCI DSS requires strong encryption for data in transit (TLS 1.2 or higher) and for data at rest (e.g., using encryption keys managed by the customer or Google). CMEK ensures customer-managed keys for data at rest.

69
MCQhard

A financial institution is deploying a PCI DSS-compliant cardholder data environment (CDE) on Google Cloud. They need to segment the CDE from other environments and restrict data egress from the CDE. Which two services should they use together? (Choose the best combination.)

A.VPCs and VPC Service Controls
B.Cloud VPN and VPC Service Controls
C.VPCs and Cloud NAT
D.VPC Service Controls and Cloud Armor
AnswerA

VPCs provide network isolation, and VPC Service Controls restrict data egress from the CDE, meeting PCI DSS segmentation requirements.

Why this answer

For PCI DSS network segmentation, VPCs provide network isolation, and VPC Service Controls enforce perimeter security by preventing data egress from the CDE to unauthorized destinations. Cloud NAT provides outbound internet access but does not restrict egress. Cloud Armor is a WAF for inbound traffic.

Cloud VPN connects on-premises but does not segment.

70
MCQmedium

A security engineer wants to test a web application hosted on Compute Engine for vulnerabilities. According to Google Cloud's Acceptable Use Policy, which of the following is true regarding penetration testing?

A.Penetration testing is allowed only for customers with Enterprise support plans.
B.All penetration testing requires prior written approval from Google.
C.Penetration testing is allowed without prior approval, but Denial of Service (DoS) testing is prohibited.
D.Testing must be limited to non-production environments only.
AnswerC

As per Google Cloud's Acceptable Use Policy, penetration testing is allowed without prior approval, but DoS testing is not permitted.

Why this answer

Google Cloud does not require prior approval for penetration testing of most services, but Denial of Service (DoS) testing is explicitly prohibited.

71
MCQeasy

A security team wants to monitor for compliance drift in an Assured Workloads folder that enforces FedRAMP High controls. Which Google Cloud service should they use to detect violations of organization policies?

A.Cloud Monitoring
B.Security Command Center
C.Access Transparency
D.Cloud Audit Logs
AnswerB

Security Command Center provides compliance monitoring and can detect violations of organization policies.

Why this answer

Security Command Center includes a compliance dashboard and can detect policy violations in Assured Workloads.

72
MCQmedium

A healthcare organization is migrating PHI workloads to Google Cloud and needs to encrypt data at rest with keys that are generated and managed within their own on-premises hardware security module (HSM). Which encryption approach should they use?

A.Enable Cloud External Key Manager (Cloud EKM).
B.Apply default Google-managed AES-256 encryption.
C.Use Cloud Key Management Service (Cloud KMS) with Cloud HSM to generate keys.
D.Use customer-supplied encryption keys (CSEK).
AnswerA

Cloud EKM allows you to use an external key management partner or your own on-premises HSM to manage encryption keys.

Why this answer

Cloud External Key Manager (Cloud EKM) allows you to manage encryption keys in an external key management system that is FIPS 140-2 Level 3 validated, including on-premises HSMs. CSEK requires you to supply your own keys but Google manages them on the server side. CMEK uses Cloud KMS keys, which can be generated in Cloud HSM, but the keys remain under Google's control.

AES-256 encryption is the default Google-managed encryption, which does not meet the requirement for customer-managed keys on an on-premises HSM.

73
MCQeasy

Which Google Cloud compliance certification requires the customer to sign a Business Associate Agreement (BAA) with Google?

A.PCI DSS
B.SOC 2
C.HIPAA
D.FedRAMP
AnswerC

HIPAA requires a signed BAA to ensure Google Cloud agrees to safeguard PHI.

Why this answer

HIPAA requires a BAA between a covered entity (or business associate) and Google Cloud before processing Protected Health Information (PHI).

74
Multi-Selectmedium

A company is implementing a HIPAA-compliant environment on Google Cloud. They need to ensure that all access to protected health information (PHI) is logged and monitored. Which TWO steps should they take? (Choose two.)

Select 2 answers
A.Set up Cloud Logging-based alerts for suspicious access patterns.
B.Use Cloud DLP to automatically classify PHI in logs.
C.Configure VPC Service Controls to restrict PHI data egress.
D.Deploy Cloud NAT for outbound traffic from PHI instances.
E.Enable Cloud Audit Logs for all services that store or process PHI.
AnswersA, E

Alerts on audit logs help detect unauthorized access, supporting HIPAA compliance.

Why this answer

HIPAA requires logging of access to PHI. Enabling Cloud Audit Logs for covered services and using Cloud Logging to monitor and set alerts on access patterns are key steps. VPC Service Controls restrict data movement but do not log access.

Cloud DLP is for data classification, not logging. Cloud NAT provides outbound internet access, which is not related to logging.

75
MCQmedium

A financial institution is deploying a PCI DSS-compliant web application on Google Cloud. They need to isolate the cardholder data environment (CDE) from other environments and protect the web application against common web attacks. Which combination of services meets these requirements?

A.Cloud NAT and Cloud IDS
B.VPC Service Controls and Cloud Armor
C.Identity-Aware Proxy (IAP) and Cloud Storage
D.Shared VPC and Cloud Load Balancing
AnswerB

VPC Service Controls create a secure perimeter for the CDE, and Cloud Armor provides WAF protection against web attacks.

Why this answer

VPC Service Controls create a perimeter around Google Cloud resources to prevent data exfiltration. Cloud Armor is a web application firewall that protects against OWASP Top 10 attacks. Together they isolate the CDE and protect the application.

Cloud IDS is for network threat detection, not isolation. Cloud NAT provides outbound internet access, not security. Cloud Load Balancing distributes traffic but does not isolate.

Ready to test yourself?

Try a timed practice session using only Pcse Compliance questions.

CCNA Pcse Compliance Questions | Courseiva