CCNA Pcse Data Protection Questions

75 of 100 questions · Page 1/2 · Pcse Data Protection topic · Answers revealed

1
MCQmedium

A company uses BigQuery to store sensitive customer data. They want to restrict access to certain columns (e.g., email and SSN) so that only authorized users see the actual values, while other users see a masked version. Which approach should they use?

A.Use BigQuery column-level security with policy tags and data masking rules.
B.Create separate views for different user groups, each with different column projections.
C.Use Cloud Storage signed URLs to grant time-limited access to the data.
D.Use Cloud DLP to scan BigQuery tables and create de-identification jobs that permanently mask the data in the table.
AnswerA

This allows setting access controls and masking policies directly on columns, providing dynamic masking based on the user's role.

Why this answer

BigQuery column-level security using policy tags and data masking rules allows you to define fine-grained access controls and masking policies on specific columns. This is the recommended approach for column-level access and masking in BigQuery.

2
Multi-Selecthard

A security team wants to ensure that a Cloud KMS key is rotated automatically every 30 days and that previous key versions are available for decryption for at least 6 months. Which THREE steps should they take? (Choose three.)

Select 3 answers
A.Ensure that the key's destruction policy does not automatically destroy versions before 6 months
B.Manually rotate the key every 30 days using a Cloud Function
C.Set the rotation period to 30 days on the cryptographic key
D.Keep the previous key versions and not schedule their destruction
E.Configure the key's `next_rotation_time` to start rotation immediately
AnswersA, C, D

By default, old versions are not destroyed; they remain available.

Why this answer

To meet the requirements: 1) Set rotation period to 30 days on the key; 2) Do not destroy old key versions until after 6 months; 3) The default destruction policy does not automatically destroy old versions, so they remain available. Setting a primary version is not required for rotation, and disabling rotation is contrary.

3
MCQhard

A company has a Cloud Storage bucket containing CSV files with sensitive data. They want to use Cloud DLP to scan the files for personally identifiable information (PII) and automatically redact (replace) any detected credit card numbers before the data is used by downstream analytics. What type of job should they create?

A.Inspection job with a Cloud Data Loss Prevention API to call a Cloud Function.
B.De-identification job with a bucketing transform.
C.Inspection job with a Cloud Pub/Sub notification to trigger a Cloud Function that redacts the data.
D.De-identification job using a masking transform for credit card numbers.
AnswerD

A de-identification job can apply transforms (e.g., masking) to redact sensitive data.

Why this answer

Option D is correct because Cloud DLP's de-identification jobs are designed to automatically transform sensitive data, such as redacting credit card numbers using a masking transform. This job type directly applies the redaction to the CSV files in Cloud Storage without requiring external triggers or custom functions, making it the most efficient and native solution for automated redaction before downstream analytics.

Exam trap

Cisco often tests the distinction between inspection-only jobs (detection) and de-identification jobs (transformation), and the trap here is that candidates confuse 'inspection' with 'redaction' or assume a custom function is needed when DLP's native transforms suffice.

How to eliminate wrong answers

Option A is wrong because an Inspection job only scans and classifies data; it does not perform redaction, and calling a Cloud Function via the API adds unnecessary complexity and latency. Option B is wrong because a bucketing transform is used for generalizing values (e.g., replacing exact ages with age ranges), not for redacting specific patterns like credit card numbers. Option C is wrong because an Inspection job with a Pub/Sub notification still only detects PII; the redaction would require an external Cloud Function to read, modify, and rewrite the files, which is less reliable and not a native DLP de-identification feature.

4
MCQmedium

A company uses Assured Workloads to meet FedRAMP High compliance in the US. They need to ensure that data cannot be moved outside the US region. Which control should they use?

A.Use VPC Service Controls to prevent data exfiltration.
B.Set IAM conditions on all resources to allow only US regions.
C.Configure an organization policy with gcp.resourceLocations as part of the Assured Workloads configuration.
D.Use Cloud DLP to scan and block data leaving the US.
AnswerC

Assured Workloads can enforce location constraints via organization policies.

Why this answer

Option C is correct because Assured Workloads enforces compliance boundaries through organization policies, and the `gcp.resourceLocations` constraint specifically restricts where Google Cloud resources can be created. By configuring this policy as part of the Assured Workloads configuration, you ensure that all resources are provisioned only within the US region, preventing data from being stored or processed outside that boundary. This directly meets the FedRAMP High requirement to keep data within the US.

Exam trap

The trap here is that candidates confuse data exfiltration controls (like VPC Service Controls) with data residency controls (like organization policy constraints), leading them to choose a tool that prevents data from leaving a network rather than one that restricts where resources can be physically located.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls are designed to prevent data exfiltration by controlling data movement between VPCs and external networks, but they do not enforce geographic location restrictions on where resources are created or stored. Option B is wrong because IAM conditions can restrict access based on resource location, but they do not prevent the creation of resources outside the US region; they only control who can access resources, not where resources are provisioned. Option D is wrong because Cloud DLP is a data loss prevention tool that scans and classifies sensitive data, but it does not block data movement based on geographic region; it is not a mechanism to enforce resource location constraints.

5
MCQmedium

A security engineer needs to audit all administrative actions performed by Google support engineers on their GCP project. Which service provides near-real-time logs of such access?

A.Cloud Audit Logs
B.Access Transparency
C.Cloud DLP
D.VPC Flow Logs
AnswerB

Access Transparency logs Google admin access to customer content, providing near-real-time visibility.

Why this answer

Access Transparency provides logs when Google personnel access customer content (e.g., support cases, internal troubleshooting). These logs are near-real-time and can be viewed in Cloud Logging. Audit Logs (Cloud Audit Logs) record user API calls, not Google admin access.

6
MCQeasy

A company wants to encrypt data at rest in Cloud Storage using a key that they manage and rotate periodically. They also need to ensure that the key material is stored in a FIPS 140-2 Level 3 validated HSM. Which encryption option should they use?

A.Google-managed encryption keys (GMEK)
B.Customer-managed encryption keys (CMEK) using Cloud HSM
C.Customer-managed encryption keys (CMEK) using Cloud KMS with software keys
D.Customer-supplied encryption keys (CSEK)
AnswerB

CMEK with Cloud HSM provides customer-managed keys stored in FIPS 140-2 Level 3 HSM.

Why this answer

CMEK with Cloud HSM uses customer-managed keys stored in a FIPS 140-2 Level 3 HSM. GMEK uses Google-managed keys, CSEK requires the customer to supply the key with each API call and Google does not store it, and Cloud HSM alone is not an encryption option; it must be used with CMEK.

7
Multi-Selectmedium

A company needs to enforce data residency in the European Union for all GCP resources. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Create a VPC Service Perimeter that only allows access from EU regions
B.Use Assured Workloads with an EU data boundary
C.Configure the organization policy constraint `gcp.resourceLocations` to allow only EU regions
D.Set IAM policies to deny access to non-EU regions
E.Enable Cloud Audit Logs to monitor resource creation outside EU
AnswersB, C

Assured Workloads provides compliance controls including data residency in the EU.

Why this answer

To enforce EU data residency, an organization policy constraint `gcp.resourceLocations` can restrict allowed locations to EU regions. Additionally, Assured Workloads can provide regulatory compliance for EU data boundary. VPC Service Controls prevent data exfiltration but do not enforce residency.

Audit Logs and IAM do not restrict locations.

8
MCQeasy

Which Cloud DLP transform should be used to replace sensitive data with a token that preserves the format and length of the original data for reversible de-identification?

A.DateShiftConfig
B.MaskingConfig
C.CryptoReplaceFfxFpeConfig
D.BucketingConfig
AnswerC

FPE preserves format and length and is reversible, making it suitable for tokenization.

Why this answer

CryptoReplaceFfxFpeConfig uses Format-Preserving Encryption (FPE) to replace data with a token that retains the original format and length, and the process is reversible with the encryption key.

9
Multi-Selectmedium

An organization stores sensitive data in Cloud Storage and wants to use Cloud DLP to automatically scan new objects for PII as they are uploaded. Which two resources are needed? (Choose 2)

Select 2 answers
A.Cloud Scheduler
B.Cloud Functions
C.Cloud Storage Pub/Sub notifications
D.Cloud DLP JobTrigger
E.Cloud DLP InspectTemplate
AnswersC, D

Why this answer

To scan objects automatically upon upload, you need a Cloud DLP job trigger that listens to Pub/Sub notifications from the storage bucket. The bucket must be configured to send Pub/Sub notifications for new objects. The job trigger will create inspect jobs when new objects are added.

10
MCQmedium

A company wants to enforce that all BigQuery datasets are created in the 'US' multi-region to comply with data residency policies. Which organization policy constraint can achieve this?

A.gcp.resourceLocations
B.constraints/gcp.restrictNoncompliantResources
C.constraints/compute.trustedImageProjects
D.constraints/bigquery.restrictDatasetLocation
AnswerA

This constraint restricts resource creation to specified locations, including BigQuery datasets.

Why this answer

The 'gcp.resourceLocations' constraint restricts the locations where resources can be created. By setting the allowed locations to 'us' (or specific US regions), BigQuery datasets must be created in those locations. The other constraints: 'constraints/bigquery.restrictDatasetLocation' is not a valid organization policy. 'constraints/gcp.restrictNoncompliantResources' is not specific to locations. 'constraints/compute.trustedImageProjects' is for images.

11
MCQhard

A company uses Cloud DLP to scan a BigQuery table containing customer data. They want to de-identify credit card numbers so that the first 12 digits are masked with 'X' and the last 4 digits remain visible. Which de-identification transform should they use?

A.DateShiftConfig
B.MaskingConfig
C.BucketingConfig
D.CryptoReplaceFfxFpeConfig
AnswerB

MaskingConfig can mask characters with a specified character and range; e.g., mask last 12 characters leaving last 4 unmasked.

Why this answer

MaskingConfig with a masking character 'X' and a character mask range from -12 to -1 (or similar) can achieve this. However, for consistent de-identification of credit card numbers, the CryptoReplaceFfxFpeConfig with an appropriate range might be used, but it preserves format. The direct mask is MaskingConfig.

The correct answer is MaskingConfig as it allows masking specific character ranges. The other options: DateShiftConfig shifts dates, BucketingConfig groups values, and CryptoReplaceFfxFpeConfig preserves format but does not mask.

12
Multi-Selectmedium

A company wants to use Cloud KMS to encrypt data in Cloud Storage with a key that is automatically rotated every 30 days. They also want to ensure that the key material is stored in a HSM. Which TWO resources must they create? (Choose two.)

Select 2 answers
A.A Cloud HSM key ring
B.A key with purpose EXTERNAL
C.A key ring with protection level software
D.A cryptographic key with protection level HSM
E.A Cloud HSM cluster
AnswersA, D

The key ring groups keys and can be created with HSM protection level.

Why this answer

To use CMEK with Cloud HSM, the engineer needs to create a Cloud HSM key ring (which is a resource that groups keys) and a cryptographic key with protection level HSM. The key ring is created first, then the key is created within it. The other options: a key ring with software protection level would not use HSM; a Cloud KMS key is created within a key ring, so both are needed.

13
Multi-Selectmedium

A company is using Cloud KMS with software keys for encryption. They want to increase security by using an HSM backend without changing their existing key rings or key names. Which TWO steps should they take? (Choose two.)

Select 2 answers
A.Create a new key ring and migrate all keys to it.
B.Change the protection level of the existing key version to HSM using the API.
C.Delete the existing software key versions and recreate them with HSM protection.
D.Create a new key version with the protection level set to HSM.
E.Update the key's default protection level to HSM.
AnswersD, E

You can create a new key version with the desired protection level; the existing software versions remain for decryption.

Why this answer

To switch a key from software to HSM backend, you need to create a new key version with the protection level HSM, and then update the key's default protection level to HSM so that future versions are also HSM-backed. You cannot change the protection level of an existing key version.

14
MCQmedium

A financial institution is required to store customer transaction data within the European Union to comply with GDPR data residency requirements. They want to prevent users from creating resources in any region outside the EU. Which organization policy constraint should they use?

A.constraints/compute.vmExternalIpAccess
B.constraints/gcp.resourceLocations
C.constraints/iam.allowedPolicyMemberDomains
D.constraints/sql.restrictAuthorizedNetworks
AnswerB

This constraint defines the allowed resource locations.

Why this answer

The organization policy constraint gcp.resourceLocations restricts the locations where Google Cloud resources can be created. By setting a list of allowed locations (e.g., europe-west1, europe-west4), resources cannot be created in non-EU regions.

15
MCQhard

A company uses Customer-Supplied Encryption Keys (CSEK) for Compute Engine persistent disks. They want to rotate the key used for an existing disk without recreating the disk. What must the engineer do?

A.Detach the disk and reattach it with the new CSEK key
B.Rotate the key in Cloud KMS and the disk will automatically use it
C.Create a snapshot of the disk and restore it with a new CMEK key
D.Use gcloud compute disks update with the new key
AnswerA

Detaching and reattaching the disk with the new key is the correct method to rotate a CSEK key.

Why this answer

Option A is correct because CSEK keys are not stored in Google Cloud; they are provided by the customer at the time of disk attachment. To rotate the key, you must detach the disk and reattach it with the new CSEK key, as the key is only used during the attach operation to encrypt the disk's data encryption keys (DEKs). The disk itself is not re-encrypted; the new key is used to wrap the DEKs for future reads/writes.

Exam trap

Cisco often tests the distinction between CSEK and CMEK, trapping candidates who assume that CSEK keys can be rotated via Cloud KMS or disk update commands, when in fact CSEK requires a detach/reattach workflow.

How to eliminate wrong answers

Option B is wrong because CSEK keys are not managed in Cloud KMS; they are customer-supplied directly, and Cloud KMS is used for CMEK (Customer-Managed Encryption Keys), not CSEK. Option C is wrong because creating a snapshot and restoring with a CMEK key changes the encryption type from CSEK to CMEK, which is not a rotation of the existing CSEK key and requires recreating the disk. Option D is wrong because `gcloud compute disks update` does not support updating the CSEK key for an existing disk; the key can only be specified during disk creation or attachment.

16
MCQmedium

A company wants to enforce that all new Cloud Storage buckets are created in only the europe-west1 region. Which organization policy constraint should they use?

A.constraints/storage.uniformBucketLevelAccess
B.constraints/compute.requireOsLogin
C.constraints/gcp.resourceLocations
D.constraints/iam.disableServiceAccountCreation
AnswerC

This constraint restricts where resources can be created; it can be set to allow only europe-west1.

Why this answer

The organization policy constraint gcp.resourceLocations restricts the locations where resources can be created. By setting this constraint with a list of allowed locations (e.g., europe-west1), new buckets can only be created in those regions.

17
MCQeasy

A security engineer needs to ensure that all customer data stored in Cloud Storage is encrypted at rest using keys that the organization manages and rotates themselves. Which encryption option should they use?

A.Customer-supplied encryption keys (CSEK)
B.Google-managed encryption (GMEK)
C.Customer-managed encryption keys (CMEK) using Cloud KMS
D.Cloud HSM
AnswerC

CMEK allows customers to manage and rotate their keys via Cloud KMS.

Why this answer

Customer-managed encryption keys (CMEK) using Cloud KMS is the correct choice because it allows the organization to create, manage, and rotate their own encryption keys for Cloud Storage data at rest, while still leveraging Google's infrastructure for encryption. CMEK uses Cloud KMS to wrap the data encryption keys (DEKs) with a customer-managed key encryption key (KEK), ensuring the organization retains control over key lifecycle operations such as rotation, disabling, and destruction, meeting the requirement for self-managed key rotation.

Exam trap

Cisco often tests the distinction between CMEK and CSEK, where candidates mistakenly choose CSEK because they think 'customer-supplied' implies full control, but they overlook that CSEK does not support persistent key management or rotation, which is a core requirement in this scenario.

How to eliminate wrong answers

Option A is wrong because Customer-supplied encryption keys (CSEK) require the customer to provide the raw encryption key with each API call, and Google does not store the key; this option does not support automated key rotation and is not suitable for persistent key management at rest. Option B is wrong because Google-managed encryption (GMEK) uses keys that Google creates and rotates on behalf of the customer, which does not satisfy the requirement for the organization to manage and rotate keys themselves. Option D is wrong because Cloud HSM is a hardware security module service that can be used to protect CMEK keys, but it is not an encryption option itself; it is a backing key store for CMEK, and selecting it alone does not provide the key management and rotation capabilities required.

18
MCQhard

A healthcare organization uses Cloud DLP to scan a Cloud Storage bucket containing medical records. They want to inspect for sensitive data such as patient names and SSNs, but only on new objects added after a certain date. Which DLP configuration should they use?

A.Use Cloud Functions to trigger DLP inspection on new object creation events
B.Create a DLP job trigger with a schedule that runs daily and scans the entire bucket
C.Use BigQuery to query the bucket and then scan the results with DLP
D.Create a DLP job trigger with a schedule and set `cloud_storage_options.time_filter` to scan only objects after a date
AnswerA

Cloud Functions can respond to Cloud Storage events and call DLP to inspect the new object.

Why this answer

DLP job triggers can be configured to scan on schedule or in response to events. However, scanning only new objects requires using Cloud Storage object change notification or setting up a trigger that scans incrementally. The best approach is to create a DLP job trigger that scans based on Cloud Storage events (e.g., via Pub/Sub) for new objects.

19
MCQeasy

A data engineer wants to use Cloud DLP to scan a Cloud Storage bucket for personally identifiable information (PII). Which resource should they create to run this scan?

A.Create an InspectTemplate
B.Create a JobTrigger
C.Create a DeidentifyTemplate
D.Create a DlpJob
AnswerD

A DlpJob executes the inspection or de-identification operation on the specified data.

Why this answer

Cloud DLP uses 'DlpJob' or 'InspectJob' to scan data. A 'DlpJob' can be created to inspect content in Cloud Storage, BigQuery, or Datastore. A job trigger can schedule scans, but the scan itself is a job. 'DeidentifyTemplate' and 'InspectTemplate' are configuration templates, not the scan execution.

20
MCQmedium

An engineer needs to schedule automatic rotation of a symmetric key in Cloud KMS every 30 days. The key is currently enabled. What should they do?

A.Automatic rotation is not supported for symmetric keys
B.Set a rotation period via 'gcloud kms keyrings create'
C.Manually create a new key version every 30 days using 'gcloud kms keys versions create'
D.Set the rotation period on the key via 'gcloud kms keys update'
AnswerD

The 'gcloud kms keys update' command allows setting the rotation period for automatic rotation.

Why this answer

Cloud KMS supports automatic rotation by setting a rotation period on the key. The key must have purpose ENCRYPT_DECRYPT (symmetric). The rotation period can be set in seconds (e.g., 2592000 for 30 days).

Manual rotation is also possible but not automatic.

21
Multi-Selectmedium

A company wants to use Cloud DLP to de-identify sensitive data in a BigQuery table. They need to replace credit card numbers with a token that preserves the format and also mask email addresses by showing only the first character. Which TWO de-identification transforms should they use? (Choose two.)

Select 2 answers
A.MaskingConfig
B.CryptoReplaceFfxFpeConfig
C.DateShiftConfig
D.ReplaceValueConfig
E.BucketingConfig
AnswersA, B

Masking can replace part of the email with 'x'.

Why this answer

CryptoReplaceFfxFpeConfig performs format-preserving encryption, suitable for credit card numbers. MaskingConfig with a 'x' character can mask email addresses (e.g., first character visible).

22
MCQmedium

A company uses Cloud DLP to scan a BigQuery table for sensitive data. They want to automatically mask credit card numbers in query results for users who are not data stewards. Which approach should they use?

A.Enable Access Transparency to log queries and manually review
B.Use Cloud DLP de-identification jobs to replace credit card numbers with tokens in the source table
C.Use Cloud DLP inspect job and then manually apply a view that masks the column
D.Create a BigQuery Data Policy with masking rules on the column and assign appropriate IAM roles
AnswerD

BigQuery Data Policy allows column-level masking that applies dynamically based on the user's access, without modifying the underlying data.

Why this answer

BigQuery column-level security with data masking rules (via BigQuery Data Policy) allows defining masking policies (e.g., email masking, hash masking) that are automatically applied to query results based on user IAM. DLP inspection can identify the sensitive columns, but the masking is enforced by BigQuery policies.

23
MCQhard

A company wants to use Cloud DLP to inspect Cloud Storage buckets for phone numbers that match a custom pattern (e.g., +1-XXX-XXX-XXXX). The pattern is not covered by built-in infoTypes. How should the engineer configure the DLP job?

A.Create a custom infoType with a regex pattern
B.Use the built-in PHONE_NUMBER infoType
C.Use Cloud Functions to scan the files and call DLP API
D.Store the pattern in Secret Manager and reference it in the DLP job
AnswerA

Custom infoTypes allow defining a regex to match the specific phone number pattern.

Why this answer

Option A is correct because Cloud DLP allows you to define custom infoTypes using regular expressions to match patterns not covered by built-in infoTypes. By creating a custom infoType with a regex pattern like `\+1-\d{3}-\d{3}-\d{4}`, the DLP job can inspect Cloud Storage buckets for phone numbers in the specified format. This approach directly addresses the requirement without relying on external services or unsupported built-in types.

Exam trap

Cisco often tests the misconception that built-in infoTypes can be customized or that external services like Secret Manager or Cloud Functions are required for pattern matching, when in fact Cloud DLP's custom infoType with regex is the direct and intended solution.

How to eliminate wrong answers

Option B is wrong because the built-in PHONE_NUMBER infoType does not match the custom pattern `+1-XXX-XXX-XXXX`; it typically matches international formats without the specific prefix and hyphen structure, leading to missed or false positives. Option C is wrong because using Cloud Functions to scan files and call the DLP API adds unnecessary complexity and cost; Cloud DLP natively supports inspecting Cloud Storage buckets via a DLP job, making a custom scanning layer redundant. Option D is wrong because Secret Manager is used for storing sensitive data like API keys or passwords, not for referencing regex patterns in DLP jobs; DLP custom infoTypes are defined directly in the job configuration or stored templates, not via Secret Manager.

24
MCQeasy

A security engineer needs to enforce that all new Compute Engine disks are created in a specific geographic region to meet data residency requirements. Which organization policy constraint should they use?

A.gcp.resourceLocations
B.constraints/compute.trustedImageProjects
C.compute.skipDefaultNetworkCreation
D.iam.allowedPolicyMemberDomains
AnswerA

This organization policy constraint restricts the locations where resources can be created.

Why this answer

The constraint 'gcp.resourceLocations' restricts where Google Cloud resources can be created. It can be set to a list of allowed locations. The other constraints: 'iam.allowedPolicyMemberDomains' restricts member domains, 'compute.skipDefaultNetworkCreation' prevents default network creation, 'constraints/compute.trustedImageProjects' restricts image projects.

25
MCQeasy

A security engineer wants to automatically rotate a database password stored in Secret Manager every 30 days. The new password should be generated and stored in Secret Manager without manual intervention. Which approach meets these requirements?

A.Configure a rotation period in Secret Manager, set a Pub/Sub topic, and implement a Cloud Function that listens for rotation messages to generate and add a new secret version.
B.Set up a Cloud Lifecycle rule to delete the old secret version and create a new one with the same value.
C.Use a Cloud KMS key to re-encrypt the secret each month.
D.Use gcloud secrets versions add with a scheduled Cloud Scheduler job that generates a new password and adds it as a new version.
AnswerA

Secret Manager can send Pub/Sub messages when rotation is due; a Cloud Function can generate the new password and add a version.

Why this answer

Secret Manager supports automatic rotation by configuring a rotation period and a Pub/Sub topic. A Cloud Function or other subscriber can listen for rotation notifications, generate a new secret version, and add it. This automates the rotation without manual steps.

26
Multi-Selectmedium

A company wants to use Cloud KMS to protect sensitive data. They have a requirement that the key material must be stored in a FIPS 140-2 Level 3 validated HSM. They also need to be able to create and use asymmetric keys for signing. Which two steps should they take? (Choose TWO).

Select 2 answers
A.Set the protection level of the key to software.
B.Create a key ring in Cloud KMS.
C.Create a symmetric key with protection level HSM.
D.Enable key rotation on the key ring.
E.Create a key with purpose ASYMMETRIC_SIGN and protection level HSM.
AnswersB, E

Key rings are containers for keys; they must exist before creating keys.

Why this answer

Cloud HSM provides FIPS 140-2 Level 3 validated HSM for key material. Creating a key ring and setting the protection level to HSM ensures keys are generated in the HSM. Asymmetric signing keys can be created in Cloud HSM with purpose ASYMMETRIC_SIGN.

Setting protection level to software would not meet the HSM requirement. Using symmetric keys only would not support signing. Creating a key ring in Cloud KMS is a prerequisite, but protection level must be HSM.

27
Multi-Selecteasy

Which two statements correctly describe Cloud KMS key versions? (Choose TWO.)

Select 2 answers
A.Key versions are immutable once created.
B.Key versions can be rotated automatically without creating a new version.
C.The destruction of a key version is immediate upon request.
D.You can disable a key version to prevent its use.
E.Each key version can have a different purpose.
AnswersA, D

Key material cannot be changed; you create new versions for rotation.

Why this answer

Key versions in Cloud KMS are immutable and each has its own key material. You can enable or disable versions for rotation. A key has multiple versions; rotation creates new versions.

The state can be ENABLED, DISABLED, DESTROYED, etc. The grace period applies to destruction scheduling.

28
MCQeasy

What is the purpose of Cloud HSM?

A.To manage secrets such as API keys and passwords
B.To provide FIPS 140-2 Level 3 validated hardware security for key material
C.To automatically rotate encryption keys
D.To encrypt data at rest using Google-managed keys
AnswerB

Cloud HSM provides hardware-backed key storage with FIPS 140-2 Level 3 validation.

Why this answer

Cloud HSM is a managed hardware security module (HSM) service that provides FIPS 140-2 Level 3 validated security for cryptographic keys. It allows you to generate, store, and manage keys in a tamper-resistant hardware device.

29
Multi-Selecteasy

A company needs to detect and redact sensitive data such as email addresses and phone numbers from documents stored in Cloud Storage. They plan to use Cloud DLP. Which two resources must they create first? (Choose TWO).

Select 2 answers
A.A DLP job trigger
B.A de-identification template with a redaction transform (e.g., MaskingConfig)
C.An inspection template with infoTypes EMAIL_ADDRESS and PHONE_NUMBER
D.A Cloud KMS key ring
E.A BigQuery dataset
AnswersB, C

The de-identification template specifies how to redact the detected data.

Why this answer

To use Cloud DLP for scanning and redacting, you need an inspection template that defines what to look for (infoTypes like EMAIL_ADDRESS, PHONE_NUMBER) and optionally a de-identification template for redaction. Then you create a DLP job that references both templates and targets the Cloud Storage bucket. A job trigger is for scheduled scans, not mandatory for a one-time job.

A key ring is not directly needed for DLP.

30
MCQhard

A financial services company must encrypt data at rest in Cloud Storage using keys that are generated and stored on-premises, and Google must never have access to the key material. Which encryption approach should they use?

A.Cloud External Key Manager (EKM) with a key management partner
B.Customer-supplied encryption keys (CSEK)
C.Default Google-managed encryption (GMEK)
D.Customer-managed encryption keys (CMEK) using Cloud KMS
AnswerB

CSEK keys are provided per API call and never stored by Google.

Why this answer

CSEK (Customer-Supplied Encryption Keys) allows you to provide your own keys with each API call, and Google does not store them. This meets the requirement that Google never has access to key material.

31
MCQeasy

A security engineer needs to ensure that all customer data stored in Cloud Storage is encrypted using keys that they manage and rotate on a schedule they control. The keys must be stored in a FIPS 140-2 Level 3 validated HSM. Which encryption approach should they use?

A.Cloud External Key Manager (Cloud EKM)
B.Customer-Managed Encryption Keys (CMEK) with Cloud HSM
C.Customer-Supplied Encryption Keys (CSEK)
D.Google-managed encryption keys (GMEK)
AnswerB

CMEK with Cloud HSM allows the customer to manage keys stored in a FIPS 140-2 Level 3 validated HSM and control rotation.

Why this answer

Customer-Managed Encryption Keys (CMEK) combined with Cloud HSM allow customers to manage their own keys in a FIPS 140-2 Level 3 validated HSM. Google-managed keys do not give customer control, and Customer-Supplied Encryption Keys (CSEK) require the customer to supply the key with each API call and Google does not store the key, which is impractical for many use cases and does not use HSM.

32
MCQhard

A security engineer notices that a Cloud KMS key was accidentally deleted. The key had a pending destruction period of 24 hours. What is the maximum time window to recover the key after the deletion request?

A.30 days
B.7 days
C.24 hours
D.Immediately after deletion it cannot be recovered
AnswerC

The default pending destruction grace period is 24 hours.

Why this answer

When a key version is destroyed, it enters a 24-hour pending destruction period. During this time, it can be restored. After 24 hours, destruction is permanent and irreversible.

33
MCQmedium

An organization wants to encrypt data at rest using customer-managed keys on Compute Engine persistent disks. They need to provide the key material with each API call, and Google should never store the key. Which encryption approach should they use?

A.Cloud HSM
B.Google-managed encryption keys (GMEK)
C.Customer-supplied encryption keys (CSEK)
D.Customer-managed encryption keys (CMEK)
AnswerC

CSEK requires the customer to supply the key with each API call and Google never stores it.

Why this answer

Customer-Supplied Encryption Keys (CSEK) allow the customer to provide their own encryption keys, which are used to encrypt data at rest. The keys are provided with each API call and are not stored by Google. CMEK uses Cloud KMS where Google stores the key material (encrypted by HSM).

GMEK is Google-managed. Cloud HSM is a service for managing keys but still stores them.

34
MCQmedium

A company wants to use Cloud KMS with a key that is protected by a Hardware Security Module (HSM) and meets FIPS 140-2 Level 3. Which key type should they create in Cloud KMS?

A.HSM key with any purpose
B.External key stored in Cloud HSM
C.Software key with ASYMMETRIC_SIGN purpose
D.Software key with ENCRYPT_DECRYPT purpose
AnswerA

HSM keys are backed by Cloud HSM and meet FIPS 140-2 Level 3.

Why this answer

Cloud KMS offers HSM keys that are generated and protected within an FIPS 140-2 Level 3 certified HSM. When a company requires FIPS 140-2 Level 3 compliance, the only key type that meets this requirement is an HSM key, regardless of its purpose (e.g., symmetric encryption, asymmetric signing). Software keys, even with any purpose, only meet FIPS 140-2 Level 1.

Exam trap

Cisco often tests the misconception that any key stored in Cloud HSM (including imported external keys) meets FIPS 140-2 Level 3, but only Cloud KMS-generated HSM keys are certified at that level.

How to eliminate wrong answers

Option B is wrong because an 'external key stored in Cloud HSM' refers to a key that is imported from an external key management system and stored in Cloud HSM, but Cloud KSM does not support importing keys into Cloud HSM for FIPS 140-2 Level 3 protection; only Cloud KMS-generated HSM keys meet that level. Option C is wrong because a software key with ASYMMETRIC_SIGN purpose is a software-backed key that only meets FIPS 140-2 Level 1, not Level 3. Option D is wrong because a software key with ENCRYPT_DECRYPT purpose is also software-backed and only meets FIPS 140-2 Level 1, failing the Level 3 requirement.

35
MCQmedium

A company stores API keys in Secret Manager. They want to automatically rotate the secret every 60 days and have a Cloud Function triggered after each rotation to update dependent services. What is the correct approach?

A.Manually rotate the secret and set a Cloud Scheduler job to invoke the Cloud Function.
B.Use Cloud Scheduler to call the Secret Manager API to add a new version every 60 days, then trigger a Cloud Function via HTTP.
C.Set a rotation period on the secret and directly specify a Cloud Function as a webhook in Secret Manager.
D.Set a rotation period on the secret and configure a Pub/Sub topic for notifications. Create a Cloud Function subscribed to that topic.
AnswerD

This is the correct method: rotation triggers Pub/Sub, Cloud Function acts on it.

Why this answer

Secret Manager can set a rotation period and publish a Pub/Sub message upon rotation. A Cloud Function can subscribe to that topic and execute updates. Directly triggering from Secret Manager is not possible.

Cloud Scheduler is not needed.

36
MCQhard

A company uses Cloud HSM to protect their cryptographic keys. They need to ensure that the key material never leaves the HSM. Which key purpose is supported by Cloud HSM keys?

A.Only symmetric ENCRYPT_DECRYPT
B.Only MAC purpose
C.All key purposes (ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, MAC)
D.Only asymmetric purposes
AnswerC

Cloud HSM supports all key purposes, with key material protected inside the HSM.

Why this answer

Cloud HSM provides FIPS 140-2 Level 3 validated HSM for key material. HSM keys can have purposes ENCRYPT_DECRYPT, ASYMMETRIC_SIGN, ASYMMETRIC_DECRYPT, and MAC. The key material remains inside the HSM cluster and is never exposed to the customer.

Software keys (software-backed) are stored in Cloud KMS but not in HSM.

37
MCQhard

A financial institution must store data in specific EU regions to comply with GDPR. They want to prevent users from creating resources in other regions. Which organization policy should they set?

A.Use IAM roles to restrict Compute Engine instance creation
B.Create an Assured Workloads folder with EU data boundary
C.Configure Cloud KMS key ring location constraint
D.Set the `gcp.resourceLocations` constraint at the organization or folder level
AnswerD

This constraint defines the list of allowed resource locations, blocking creation outside those regions.

Why this answer

The `gcp.resourceLocations` organization policy constraint is the correct mechanism to restrict where resources can be created in Google Cloud. By setting this list constraint at the organization or folder level, you can specify allowed locations (e.g., EU regions), and any attempt to create a resource outside those regions will be denied. This directly enforces GDPR data residency requirements without relying on IAM roles or service-specific configurations.

Exam trap

Cisco often tests the distinction between IAM-based access control and organization policy constraints, leading candidates to mistakenly choose IAM roles (Option A) when the question is about restricting resource locations rather than user permissions.

How to eliminate wrong answers

Option A is wrong because IAM roles control who can perform actions, not where resources can be created; they cannot enforce geographic restrictions. Option B is wrong because Assured Workloads provides compliance controls for regulated workloads but does not itself restrict resource creation locations; it is a folder-level container with predefined controls, not a location constraint. Option C is wrong because Cloud KMS key ring location constraints only apply to key rings and crypto keys, not to all resource types; they cannot prevent users from creating Compute Engine instances or storage buckets in disallowed regions.

38
MCQhard

A financial services company uses BigQuery for analytics and needs to implement column-level security such that users with the role 'data_scientist' can see the last four digits of credit card numbers, while the full number is visible only to 'data_owner'. What approach should they use?

A.Use a policy tag with a data masking rule that masks the full number except last four digits, and grant UNMASKED access to data_owner and MASKED access to data_scientist.
B.Set an IAM condition on the table that filters the column based on the user's role.
C.Use row-level security to restrict rows based on role.
D.Create two separate BigQuery tables (one with masked data, one with full data) and grant access based on role.
AnswerA

This is the correct method for column-level masking.

Why this answer

Option A is correct because BigQuery's policy tags with data masking rules allow you to define column-level masking policies. By creating a masking rule that reveals only the last four digits of the credit card number, you can grant the `data_scientist` role MASKED access (which applies the mask) and the `data_owner` role UNMASKED access (which bypasses the mask). This approach enforces column-level security without duplicating data or using row-level filters.

Exam trap

Cisco often tests the distinction between column-level security (policy tags with masking) and row-level security (row filters), and the trap here is confusing row-level security (which filters rows) with column-level masking (which obfuscates column values).

How to eliminate wrong answers

Option B is wrong because IAM conditions operate at the resource level (e.g., table or dataset) and cannot filter or mask individual columns within a table; they are used for access control based on attributes like time or IP, not for column-level data transformation. Option C is wrong because row-level security restricts which rows a user can see based on a filter condition, but it does not mask or partially reveal column values; it is designed for row-level access, not column-level data obfuscation. Option D is wrong because creating two separate tables violates data normalization and introduces data duplication, synchronization overhead, and increased management complexity; BigQuery's policy tags provide a native, scalable solution without these drawbacks.

39
MCQeasy

A security engineer needs to automatically rotate a database password stored in Secret Manager every 60 days. Which approach meets this requirement with minimal operational overhead?

A.Set the secret's `next_rotation_time` to 60 days from now; no further action needed
B.Enable automatic rotation with a 60-day period in Cloud KMS, which will automatically update the secret
C.Use a cron job on Compute Engine to update the secret every 60 days
D.Set the rotation period in Secret Manager to 60 days and configure a Pub/Sub topic to trigger a Cloud Function that generates a new password
AnswerD

This automates rotation with low overhead.

Why this answer

Secret Manager supports automatic rotation with a specified rotation period and Pub/Sub notifications. A Cloud Function can listen for the notification and generate a new password, updating the secret version.

40
MCQmedium

A company uses Customer-Supplied Encryption Keys (CSEK) for Compute Engine persistent disks. They want to ensure that Google does not store the key material. What must they do?

A.Use the gcloud compute disks create command with the --csek-key-file flag to supply the key, and do not store the key in Cloud KMS.
B.Enable Cloud HSM to protect the key.
C.Set an organization policy to prevent Google from storing keys.
D.Create a Cloud KMS key and use it as a CSEK.
AnswerA

CSEK keys are supplied per API call and not stored by Google.

Why this answer

Option A is correct because Customer-Supplied Encryption Keys (CSEK) allow you to provide your own raw AES-256 key material when creating a persistent disk. By using the `gcloud compute disks create` command with the `--csek-key-file` flag, you supply the key directly to the API, and Google uses it only in memory to encrypt the disk; it does not persist the key material on Google's infrastructure. The key file is stored locally by the customer, ensuring Google never retains the key.

Exam trap

The trap here is that candidates often confuse CSEK with CMEK (Customer-Managed Encryption Keys) and assume Cloud KMS or Cloud HSM can be used to satisfy the 'no storage' requirement, but those services inherently store key material within Google's control.

How to eliminate wrong answers

Option B is wrong because Cloud HSM is a managed hardware security module service that stores keys within Google's infrastructure, which contradicts the requirement that Google must not store the key material. Option C is wrong because there is no organization policy that can prevent Google from storing keys; CSEK is designed to avoid storage by design, not through policy enforcement. Option D is wrong because creating a Cloud KMS key and using it as a CSEK would mean the key is managed and stored by Google in Cloud KMS, which violates the requirement that Google does not store the key material.

41
MCQeasy

An organization wants to use a FIPS 140-2 Level 3 validated hardware security module (HSM) to protect encryption keys in Cloud KMS. Which key protection level should they choose when creating a key ring?

A.software
B.cloud
C.external
D.hsm
AnswerD

HSM keys use Cloud HSM which is FIPS 140-2 Level 3 validated.

Why this answer

Cloud KMS offers two protection levels: software and HSM. HSM protection level uses Cloud HSM, which is FIPS 140-2 Level 3 validated. Software keys are validated to Level 1.

42
MCQmedium

A company needs to store sensitive API keys in Secret Manager and ensure that only a specific service account can access the latest version of a secret. Which IAM permission is required for the service account to read the secret value?

A.secretmanager.secrets.get
B.secretmanager.versions.access
C.secretmanager.secrets.create
D.secretmanager.versions.list
AnswerB

This permission allows accessing the secret payload of a version.

Why this answer

To access a secret version's payload (the actual secret value), the permission 'secretmanager.versions.access' is required. The role 'roles/secretmanager.secretAccessor' includes this permission. The other permissions are for listing or managing metadata.

43
Multi-Selecthard

A company wants to implement automatic de-identification of sensitive data stored in Cloud Storage using Cloud DLP. They need to scan new objects as they are uploaded and apply a transformation to remove credit card numbers. Which three resources must they create? (Choose THREE.)

Select 3 answers
A.Cloud DLP inspection template
B.Cloud DLP job that uses the trigger and template
C.Cloud DLP job trigger
D.Cloud Function to process objects
E.Cloud DLP de-identification template
AnswersB, C, E

The job ties together the trigger and template.

Why this answer

Option B is correct because a Cloud DLP job is required to orchestrate the scanning and transformation of data. It must reference both a job trigger (to start the job when new objects are uploaded) and an inspection template (to define what to look for, such as credit card numbers). Without the job, the trigger and templates cannot execute the de-identification workflow.

Exam trap

Cisco often tests the misconception that a de-identification template is required for any transformation, but in this case the removal of credit card numbers can be specified directly in the job's `inspectConfig` or via a transformation configuration, making the de-identification template optional and not one of the three required resources.

44
MCQmedium

A healthcare company stores patient data in BigQuery and needs to mask sensitive columns like SSN and email for analysts who do not need to see the actual values. They want to apply consistent masking across queries without modifying the underlying data. Which feature should they use?

A.IAM conditions on tables
B.BigQuery Data Policy with data masking rules
C.Authorized views with row-level security
D.Cloud DLP de-identification transforms on export
AnswerB

Data masking rules in BigQuery Data Policy allow column-level masking without changing the underlying data.

Why this answer

BigQuery Data Policy with data masking rules allows you to define column-level masking policies that automatically redact sensitive data (e.g., SSN, email) in query results based on the user's role, without altering the underlying table. This meets the requirement for consistent masking across all queries without modifying the source data.

Exam trap

Cisco often tests the distinction between row-level security (which filters rows) and column-level masking (which obfuscates column values), leading candidates to mistakenly choose authorized views when the requirement is to mask sensitive columns, not restrict rows.

How to eliminate wrong answers

Option A is wrong because IAM conditions control access at the resource level (e.g., table or dataset) based on attributes like time or IP, but they cannot mask specific column values within a table. Option C is wrong because authorized views with row-level security filter rows based on user identity, but they do not mask or redact individual column values; they restrict which rows are visible, not the content of sensitive columns. Option D is wrong because Cloud DLP de-identification transforms on export apply masking only when data is exported to another location, not during live queries in BigQuery, and they modify the exported data rather than masking in place.

45
Multi-Selectmedium

A company is subject to ITAR regulations and needs to ensure that all data stored in GCP remains within the United States. They also require FIPS 140-2 Level 3 validation for encryption keys. Which two services should they use together to meet these requirements? (Choose 2)

Select 2 answers
A.Cloud KMS with software keys
B.Cloud HSM
C.Cloud DLP
D.Assured Workloads
E.Secret Manager
AnswersB, D

Why this answer

Assured Workloads provides compliance controls for ITAR (among others) and can enforce data residency within the US. Cloud HSM provides FIPS 140-2 Level 3 validated HSM for encryption keys. Together they satisfy both requirements.

46
MCQmedium

A healthcare organization must ensure that Protected Health Information (PHI) stored in Cloud Storage buckets is not inadvertently shared. They want to automatically scan all new objects added to the bucket for sensitive data and log findings. Which approach should they use?

A.Use Data Loss Prevention (DLP) API to manually scan the bucket each time a new object is added.
B.Use Access Transparency logs to monitor all access to the bucket.
C.Use Cloud Audit Logs and create a log-based metric to detect sensitive data.
D.Use Cloud DLP inspection job triggers with a schedule to scan the bucket periodically.
AnswerD

DLP job triggers can be set to scan Cloud Storage objects on a schedule or event-driven via Pub/Sub, allowing automatic scanning of new objects.

Why this answer

Cloud DLP job triggers can be configured to scan Cloud Storage buckets on a schedule or event-driven (e.g., via Cloud Storage Pub/Sub notifications). The trigger will inspect objects for sensitive data and log results. This meets the requirement for automatic scanning.

47
MCQmedium

A security engineer wants to encrypt data at rest in Cloud Storage using a key that Google manages but the customer can control the key material. They need to rotate the key automatically every 90 days. Which encryption option should they choose?

A.Google default encryption (GMEK)
B.Customer-Supplied Encryption Keys (CSEK)
C.Customer-Managed Encryption Keys (CMEK) via Cloud KMS
D.Cloud HSM
AnswerC

CMEK lets you control key material in Cloud KMS and set automatic rotation (e.g., every 90 days).

Why this answer

Customer-Managed Encryption Keys (CMEK) using Cloud KMS allow customers to manage their own key material and configure automatic rotation (minimum 24h, but typically set to 90 days). GMEK is Google-managed (no customer control), CSEK requires customer to supply key with each API call (Google never stores it), and Cloud HSM is a key management service but still uses CMEK integration for rotation.

48
Multi-Selectmedium

A company needs to meet the EU data boundary requirements for Assured Workloads, ensuring that data processing and storage remain within the European Union. Which TWO configurations are required? (Choose two.)

Select 2 answers
A.Enable Cloud Logging with log sinks in the US.
B.Create an Assured Workloads folder with a location of 'eu'.
C.Enable Access Approval for all projects.
D.Use a CMEK key from a key ring in a non-EU region.
E.Set the organization policy constraint 'gcp.resourceLocations' to allow only EU regions.
AnswersB, E

The Assured Workloads folder must be created in the EU location.

Why this answer

Assured Workloads provides a folder with specific compliance controls. The organization policy constraint gcp.resourceLocations restricts resource creation to allowed regions. The folder itself is created in a specific location (e.g., eu) to enforce the boundary.

49
MCQeasy

A data engineer wants to classify columns in BigQuery containing sensitive data like email addresses and apply data masking so that users see only masked values (e.g., 'j***@example.com'). Which feature should they use?

A.BigQuery column-level security with policy tags and data masking rules
B.Cloud DLP inspection jobs
C.Cloud IAM roles for BigQuery
D.View with SQL masking
AnswerA

Policy tags classify data, and data masking rules (e.g., EmailMask) apply masking automatically.

Why this answer

BigQuery column-level security with policy tags allows classification, and BigQuery Data Policy with data masking rules (like email masking) applies dynamic masking at query time.

50
Multi-Selectmedium

A company wants to automatically rotate secrets stored in Secret Manager every 30 days. They have set up a Pub/Sub topic and a Cloud Function to perform the rotation. Which TWO actions are required to complete the configuration? (Choose two.)

Select 2 answers
A.Grant the Cloud Functions service account the secretmanager.secretVersionManager role on the secret.
B.Set the rotation period on the secret to 30 days.
C.Create a Cloud Scheduler job to call the Secret Manager API every 30 days.
D.Enable automatic rotation in the Cloud Console by toggling the 'Enable rotation' switch.
E.Configure a Pub/Sub topic on the secret to receive notifications when rotation is triggered.
AnswersB, E

The rotation period tells Secret Manager how often to trigger rotation.

Why this answer

To enable automatic rotation, you need to configure a rotation period and a Pub/Sub topic. The rotation period defines how often the secret is rotated, and the Pub/Sub topic is used to notify the Cloud Function when rotation is due.

51
MCQmedium

An organization needs to audit when Google administrators access their customer content stored in GCP. Which service provides near-real-time logs of such access?

A.VPC Flow Logs
B.Cloud Monitoring
C.Cloud Audit Logs
D.Access Transparency
AnswerD

Access Transparency logs Google administrator access to customer data.

Why this answer

Access Transparency provides near-real-time logs when Google staff access customer content, offering visibility into administrative actions.

52
MCQeasy

A data engineer needs to scan a Cloud Storage bucket for personally identifiable information (PII) such as credit card numbers and social security numbers. The scanning must be performed on a schedule (every week). Which GCP service and resource should they use?

A.Cloud Security Command Center (SCC)
B.Cloud Asset Inventory
C.Cloud Audit Logs
D.Cloud Data Loss Prevention (DLP) with a DLP job trigger
AnswerD

DLP job triggers can run scheduled inspection scans on Cloud Storage.

Why this answer

Cloud DLP can inspect data for sensitive info types. DLP job triggers allow scheduling recurring scans of Cloud Storage, BigQuery, or Datastore. The trigger runs the inspection job based on a schedule.

53
MCQmedium

An organization needs to enforce that all new Cloud Storage buckets are created only in the europe-west1 region to meet data residency requirements. Which method should they use?

A.Assign the roles/storage.admin IAM role with a condition that restricts region.
B.Use Assured Workloads to enforce data residency.
C.Define a bucket policy that allows only europe-west1.
D.Configure an organization policy with the constraint gcp.resourceLocations to allow only europe-west1.
AnswerD

This constraint restricts where resources can be created.

Why this answer

Organization policies with the `gcp.resourceLocations` constraint allow you to restrict the physical location of resources at the organization, folder, or project level. This is the correct method because it enforces that all new Cloud Storage buckets (and other supported resources) can only be created in the specified region, meeting data residency requirements without relying on IAM conditions or bucket-level policies.

Exam trap

Cisco often tests the distinction between IAM conditions (which control who can act) and organization policies (which control what can be done), leading candidates to choose IAM conditions when the question asks for a blanket enforcement across all users.

How to eliminate wrong answers

Option A is wrong because the `roles/storage.admin` IAM role with a condition can restrict which regions a user can create buckets in, but it does not enforce the restriction on all principals; a user with a different role (e.g., `roles/owner`) could still create buckets outside europe-west1. Option B is wrong because Assured Workloads is designed for compliance with regulatory controls like CMEK or CSEK, not for simple region-based data residency enforcement; it is an overkill and does not directly restrict bucket creation regions. Option C is wrong because bucket policies (Uniform Bucket-Level Access) control access to existing buckets, not the creation of new buckets; they cannot prevent a user from creating a bucket in a different region.

54
MCQeasy

Which Google Cloud service provides near-real-time logs when Google administrators access your customer content?

A.Access Transparency
B.Access Approval
C.Cloud DLP
D.Cloud Audit Logs
AnswerA

Access Transparency logs Google admin access to customer content in near-real-time.

Why this answer

Access Transparency logs provide detailed information about actions taken by Google staff when accessing customer data. Access Approval is a separate feature that requires approval before access. Audit Logs is a broader category.

Cloud DLP is for data loss prevention.

55
MCQhard

A company uses CMEK with Cloud HSM to encrypt a BigQuery table. The security engineer accidentally deleted the key in Cloud KMS. The key is now in a 'pending destruction' state with a grace period of 24 hours. Which action should the engineer take to restore the key and avoid data loss?

A.Recreate the key with the same name and version
B.Wait for the grace period to expire and then use a backup key
C.Use Access Transparency logs to recover the key material
D.Restore the key by canceling the destruction within the grace period
AnswerD

During the pending destruction state, the key can be restored by cancelling the destruction via Cloud KMS.

Why this answer

When a key is destroyed, it enters a pending destruction state for a default 24-hour grace period. During this period, the key can be restored by cancelling the destruction. After the grace period, the key is permanently destroyed and data encrypted with it becomes inaccessible.

The restore operation is available in Cloud KMS.

56
Multi-Selecthard

A company uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically de-identify the data before loading it into another BigQuery dataset for analysis. Which THREE components must be configured? (Choose three.)

Select 3 answers
A.A Cloud KMS key for encryption of the output
B.A DLP job trigger
C.A de-identification template
D.A BigQuery authorized view
E.An inspection template
AnswersB, C, E

To schedule the de-identification job.

Why this answer

To automatically de-identify data from BigQuery, a DLP job must be configured with a de-identification template. The inspection template identifies sensitive info types. The job can write results to a new BigQuery table.

A job trigger schedules the job.

57
MCQeasy

What is the purpose of the Cloud DLP InfoType detector CREDIT_CARD_NUMBER?

A.It encrypts credit card numbers automatically.
B.It detects credit card numbers in data during inspection.
C.It redacts credit card numbers from images.
D.It de-identifies credit card numbers using masking.
AnswerB

InfoType detectors are used to find sensitive data.

Why this answer

Cloud DLP InfoType detectors are used to identify specific types of sensitive data. CREDIT_CARD_NUMBER is a built-in detector that finds credit card numbers in text or files.

58
MCQmedium

A company uses Cloud KMS with automatic rotation enabled for a symmetric key. The rotation period is set to 90 days. After 90 days, a new key version is created. The compliance team asks: what happens to data encrypted with the old key version?

A.The old key version remains available for decryption of existing data.
B.The old key version is immediately disabled, and all data must be re-encrypted.
C.Data encrypted with the old key is automatically re-encrypted with the new key.
D.The old key version is deleted after the rotation period.
AnswerA

Old key versions are retained and can decrypt data encrypted with them.

Why this answer

When a key is rotated, a new version is created. Data encrypted with the old version can still be decrypted because the old version remains available for decryption. The key material is not destroyed unless manually deleted.

Automatic rotation does not re-encrypt existing data.

59
Multi-Selectmedium

A company is deploying a multi-region application that must store data only within the European Union to comply with GDPR data residency requirements. They also need to ensure that Google Cloud administrators cannot access customer content. Which two controls should they implement? (Choose TWO).

Select 2 answers
A.Use VPC Service Controls.
B.Apply the organization policy constraint gcp.resourceLocations with the allowed regions set to europe-west1, europe-west2, etc.
C.Enable Access Transparency.
D.Configure Cloud DLP inspection jobs to scan for GDPR-sensitive data.
E.Enable Assured Workloads with EU regions boundary.
AnswersB, C

This policy ensures resources are only created in specified EU regions.

Why this answer

To enforce data residency, the organization policy constraint gcp.resourceLocations restricts resource creation to specific regions. For EU data residency, they would list EU regions. Access Transparency provides logs of Google admin access to customer content, allowing the customer to monitor and audit such access.

Assured Workloads is for compliance frameworks like FedRAMP, not specifically for data residency. Cloud DLP is for data loss prevention, not residency. VPC Service Controls is for data exfiltration prevention, not residency.

60
MCQeasy

Which Cloud KMS key purpose should be used to encrypt and decrypt data directly?

A.ASYMMETRIC_DECRYPT
B.ASYMMETRIC_SIGN
C.ENCRYPT_DECRYPT
D.MAC
AnswerC

This purpose enables symmetric encryption and decryption operations.

Why this answer

The ENCRYPT_DECRYPT purpose is for symmetric encryption/decryption. ASYMMETRIC_SIGN is for digital signing, ASYMMETRIC_DECRYPT is for asymmetric decryption (e.g., using RSA), and MAC is for message authentication codes.

61
MCQmedium

An organization needs to comply with ITAR regulations. They want to ensure that all data processed by their GCP resources remains within the United States. Which service should they use?

A.VPC Service Controls
B.Assured Workloads
C.Cloud DLP
D.Organization policy constraint gcp.resourceLocations
AnswerB

Assured Workloads provides compliance controls for ITAR, FedRAMP High, etc., including data residency and access restrictions.

Why this answer

Assured Workloads provides regulatory compliance controls, including support for ITAR. It helps enforce data residency and access controls required for ITAR workloads.

62
MCQeasy

A security engineer needs to ensure that all data stored in Cloud Storage buckets and BigQuery tables is encrypted at rest using keys that the organization generates and manages on-premises. The keys must not be stored by Google. Which key management approach should they use?

A.Cloud HSM with Customer-Managed Keys
B.Customer-Managed Encryption Keys (CMEK) via Cloud KMS
C.Google default encryption (GMEK)
D.Customer-Supplied Encryption Keys (CSEK)
AnswerD

CSEK allows customers to supply their own keys per API call; Google does not store them.

Why this answer

Customer-Supplied Encryption Keys (CSEK) allow customers to provide their own encryption keys with each API call. Google never stores these keys, ensuring the customer retains full control. GMEK and CMEK involve Google storing the keys, and Cloud HSM is a managed service that stores keys, so none meet the 'not stored by Google' requirement.

63
Multi-Selecthard

A security engineer needs to enforce column-level masking on a BigQuery table such that: (1) users with role 'data_analyst' see masked values, (2) users with role 'data_scientist' see plaintext values, and (3) the masking is applied automatically without modifying the underlying table. Which three components must they configure? (Choose 3)

Select 3 answers
A.IAM roles (e.g., roles/bigquery.maskedReader)
B.BigQuery Data Policy with masking rule
C.Cloud KMS key for column encryption
D.Data Catalog taxonomy with policy tags
E.Cloud DLP de-identification job
AnswersA, B, D

Why this answer

BigQuery column-level security uses: a Data Catalog taxonomy to define policy tags, a BigQuery Data Policy that specifies masking rules (e.g., hash, nullify) associated with the policy tag, and IAM roles (e.g., BigQuery Masked Reader) to grant access to masked data. The taxonomy contains the policy tags, the data policy defines the masking rule, and IAM controls who sees masked vs. plaintext.

64
MCQeasy

What is the default grace period before Cloud KMS permanently destroys a key version that has been scheduled for destruction?

A.24 hours
B.7 days
C.Immediate destruction with no grace period
D.30 days
AnswerA

The default pending destruction period is 24 hours.

Why this answer

When a key version is disabled and scheduled for destruction, there is a 24-hour pending destruction grace period by default. During this time, the key can be restored. After 24 hours, the key version is permanently destroyed.

65
MCQmedium

A company wants to enforce that all Compute Engine disk encryption uses keys managed by their own HSM on-premises, with keys provided per API call. Which encryption type should they choose when creating a persistent disk?

A.Google-managed encryption (GMEK)
B.Cloud HSM-backed keys
C.Customer-supplied encryption (CSEK)
D.Customer-managed encryption (CMEK) with Cloud KMS
AnswerC

Keys are provided per API call; Google does not store them.

Why this answer

CSEK (Customer-Supplied Encryption Keys) allows you to provide your own key with each API call, and Google never stores the key. This is appropriate for on-premises HSM integration.

66
MCQmedium

A company is using Cloud DLP to inspect a BigQuery table containing customer PII. They want to redact all credit card numbers found in a column by replacing them with a token that preserves the format (e.g., last 4 digits visible). Which de-identification transform should they use?

A.MaskingConfig with a masking character
B.DateShiftConfig
C.BucketingConfig
D.CryptoReplaceFfxFpeConfig
AnswerD

FPE preserves the format and can keep last 4 digits visible.

Why this answer

CryptoReplaceFfxFpeConfig performs format-preserving encryption (FPE), which can replace a value with a token that retains the format, such as last 4 digits visible.

67
MCQhard

A security engineer wants to enable Access Transparency for their organization. After enabling it in the Admin Console, they notice that some access logs are missing. What is the most likely reason?

A.Access Transparency only logs access by Google personnel, not by third-party vendors.
B.Access Transparency must be enabled for each individual project, not just the organization.
C.The service being accessed does not support Access Transparency.
D.The IAM policy for the organization does not grant the required permissions.
AnswerC

Access Transparency is supported only by certain services; unsupported services will not produce logs.

Why this answer

Access Transparency logs are only generated for services that support Access Transparency and have the feature enabled. At the time of writing, not all GCP services support Access Transparency. If the missing logs are for unsupported services, they will not appear.

68
Multi-Selecthard

A company must comply with regulatory requirements that restrict data access by Google Cloud support and engineering staff. They need to log all Google admin access to their data and also require explicit approval before access is granted. Which TWO features should they combine? (Choose two.)

Select 2 answers
A.Access Approval
B.Data Loss Prevention
C.VPC Service Controls
D.Access Transparency
E.Audit Logs
AnswersA, D

Allows customers to approve or deny Google support access requests.

Why this answer

Access Transparency provides logs of Google admin access to customer content. Access Approval allows customers to approve or deny Google support access requests. Together, they satisfy the requirement for logging and approval.

The other options: Audit Logs record customer project actions, not Google admin access. Data Loss Prevention is for data inspection. VPC Service Controls are for network perimeters.

69
MCQmedium

A data scientist needs to access a secret stored in Secret Manager from a Compute Engine VM. The VM has the default service account attached. Which IAM role should be granted to the service account to allow reading the secret?

A.roles/secretmanager.admin
B.roles/secretmanager.secretAccessor
C.roles/iam.serviceAccountUser
D.roles/secretmanager.viewer
AnswerB

This role grants permission to access secret versions.

Why this answer

The correct role is roles/secretmanager.secretAccessor because it grants the specific permission secretmanager.versions.access required to read the secret payload from Secret Manager. The default Compute Engine service account needs only this minimal permission to retrieve the secret value, following the principle of least privilege.

Exam trap

Cisco often tests the distinction between viewing metadata (roles/secretmanager.viewer) and accessing the actual secret value (roles/secretmanager.secretAccessor), causing candidates to mistakenly choose the viewer role for read access.

How to eliminate wrong answers

Option A is wrong because roles/secretmanager.admin grants full administrative control over secrets, including creating, updating, and deleting them, which is excessive and violates least privilege for a read-only access need. Option C is wrong because roles/iam.serviceAccountUser allows impersonating service accounts (e.g., to run instances or use gcloud with the service account), but does not grant any permissions to read Secret Manager secrets. Option D is wrong because roles/secretmanager.viewer only allows listing and viewing secret metadata (such as names and labels), not accessing the actual secret payload (the secret data).

70
Multi-Selectmedium

A company must store API keys and database credentials securely in Google Cloud. They need automatic rotation of these secrets every 30 days, with notifications sent to a security team after each rotation. Which services should they use? (Choose TWO).

Select 2 answers
A.Cloud Scheduler
B.Secret Manager
C.Compute Engine
D.Cloud Functions
E.Cloud KMS
AnswersB, D

Secret Manager is the correct service for storing API keys and credentials with built-in automatic rotation and Pub/Sub notifications.

Why this answer

Secret Manager provides a native API for storing secrets and supports automatic rotation via a rotation period and Pub/Sub notifications. Cloud Functions can be triggered by the Pub/Sub message to perform any additional actions (e.g., updating applications). Cloud KMS manages encryption keys, not secrets.

Cloud Scheduler can trigger manual rotation but is not required with automatic rotation. Compute Engine is not a service for secrets management.

71
MCQhard

A security engineer accidentally deleted a Cloud KMS key version. The key version is in the state DESTROY_SCHEDULED. How long does the engineer have to cancel the destruction before the key material is permanently destroyed?

A.30 days
B.24 hours
C.Immediate destruction, no grace period
D.7 days
AnswerB

The default pending destruction period is 24 hours.

Why this answer

When a key version is scheduled for destruction, it enters a pending destruction grace period. The default grace period is 24 hours, during which the destruction can be canceled. After that, the key material is destroyed and unrecoverable.

72
Multi-Selecthard

A company uses Cloud DLP to inspect data in Cloud Storage and BigQuery for sensitive information such as credit card numbers and social security numbers. They want to de-identify the data using format-preserving encryption (FPE) so that the masked data retains the same format (e.g., a 16-digit number still looks like a credit card number). Which two configurations should they use? (Choose TWO).

Select 2 answers
A.A de-identification template with BucketingConfig
B.A cryptographic key in Cloud KMS to be used with the FPE transform
C.A de-identification template with DateShiftConfig
D.A de-identification template with MaskingConfig
E.A de-identification template with CryptoReplaceFfxFpeConfig
AnswersB, E

CryptoReplaceFfxFpeConfig requires a wrapping key in Cloud KMS to encrypt the FPE key.

Why this answer

CryptoReplaceFfxFpeConfig performs format-preserving encryption (FPE) based on the FFX mode. It can preserve the format of credit card numbers. The transform must be configured with a cryptographic key from Cloud KMS to ensure the encryption is secure.

BucketingConfig replaces values with a bucket label, not FPE. MaskingConfig replaces characters with a mask character. DateShiftConfig shifts dates by a random number of days.

73
MCQhard

An organization needs to store API keys and database credentials in a secure, centralized service that supports automatic rotation and integrates with Cloud Functions. The solution must provide fine-grained access control at the secret version level. Which service should they use?

A.Cloud Key Management Service (Cloud KMS)
B.Cloud Storage with customer-managed encryption keys
C.Secret Manager
D.Cloud HSM
AnswerC

Secret Manager meets all requirements: secure storage, versioning, automatic rotation, and fine-grained IAM at the version level.

Why this answer

Secret Manager is designed for storing secrets such as API keys and database credentials. It supports versioning, IAM roles with fine-grained access (e.g., secretmanager.versions.access), and automatic rotation via Pub/Sub notifications triggering Cloud Functions.

74
MCQeasy

An organization needs to store API keys and database credentials in a central, auditable service with versioning and IAM access control. Which GCP service should they use?

A.Cloud HSM
B.Secret Manager
C.Cloud DLP
D.Cloud KMS
AnswerB

Secret Manager is the correct service for storing and managing secrets with versioning and IAM.

Why this answer

Secret Manager is purpose-built for storing secrets like API keys, certificates, and database passwords. It provides versioning, IAM policies (e.g., secretmanager.versions.access), and automatic rotation with Pub/Sub notifications.

75
MCQhard

A security administrator wants to receive near-real-time logs whenever a Google Cloud support engineer accesses their customer content. Which GCP service provides this capability?

A.Access Transparency
B.Cloud Audit Logs (Admin Activity)
C.Cloud Security Command Center
D.Cloud Audit Logs (Data Access)
AnswerA

Access Transparency provides logs of Google admin access to customer content.

Why this answer

Access Transparency provides near-real-time logs of actions taken by Google personnel when accessing customer content. It is part of the Assured Workloads offering and can be enabled for supported services.

Page 1 of 2 · 100 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Pcse Data Protection questions.

CCNA Pcse Data Protection Questions — Page 1 of 2 | Courseiva