CCNA Pcse Data Protection Questions

25 of 100 questions · Page 2/2 · Pcse Data Protection topic · Answers revealed

76
MCQmedium

An organization wants to ensure that all new resources created in Google Cloud are restricted to a specific set of regions to meet data residency requirements. Which policy should they use?

A.Configure the `gcp.resourceLocations` organization policy constraint
B.Define a service perimeter using VPC Service Controls
C.Use IAM conditions to deny access outside approved regions
D.Enable Data Residency in Cloud Console settings
AnswerA

This policy directly restricts the regions where resources can be created.

Why this answer

The org policy constraint `gcp.resourceLocations` restricts resource creation to the specified locations. This is the correct method to enforce data residency for resources globally.

77
MCQmedium

A company uses Cloud KMS to manage encryption keys for data at rest. They want to automatically rotate a symmetric key every 90 days. The key is used to encrypt Cloud Storage objects and BigQuery tables. What is the correct approach to achieve automatic rotation?

A.Use a Cloud Function to rotate the key every 90 days via the Cloud KMS API.
B.Set the rotation period on the key to 90 days and ensure the key purpose is ENCRYPT_DECRYPT.
C.Create a Cloud Scheduler job to manually rotate the key every 90 days.
D.Set the rotation period on the key ring to 90 days.
AnswerB

Setting rotation period on the key itself enables automatic rotation. ENCRYPT_DECRYPT is required for symmetric encryption.

Why this answer

In Cloud KMS, you can set a rotation period on a key. Automatic rotation creates a new key version at the specified interval. The key must have purpose ENCRYPT_DECRYPT for symmetric encryption.

Manual rotation is not automatic, and setting a rotation period on key rings is not possible.

78
MCQmedium

An organization needs to de-identify a BigQuery column containing US Social Security Numbers (SSNs) by replacing them with a consistent token that can be reversed if needed. Which Cloud DLP de-identification transform should they use?

A.BucketingConfig
B.MaskingConfig
C.CryptoReplaceFfxFpeConfig
D.DateShiftConfig
AnswerC

This transform uses FPE to create reversible, format-preserving tokens (e.g., SSN-like tokens).

Why this answer

CryptoReplaceFfxFpeConfig uses Format-Preserving Encryption (FPE) to replace sensitive data with a token that preserves the original format (e.g., 9 digits) and is reversible with the same key. BucketingConfig replaces with a range, MaskingConfig masks characters, and DateShiftConfig shifts dates.

79
MCQmedium

An engineer needs to configure automatic key rotation for a symmetric encryption key in Cloud KMS. They have set the rotation period to 90 days. What happens to the old key material after rotation?

A.The old key version is disabled and can be re-enabled if needed.
B.The old key material is immediately deleted.
C.The old key version remains enabled and can still be used for decryption.
D.The old key material is moved to a pending destruction state for 24 hours.
AnswerC

Old key versions remain enabled and can be used to decrypt data encrypted with them.

Why this answer

When a key is rotated, a new key version is created and becomes the primary. The old version is retained and remains available for decrypting data encrypted with it. Key material is not automatically deleted; it can be disabled or scheduled for destruction separately.

80
Multi-Selectmedium

A security team needs to monitor and log all Google Cloud administrator access to customer data stored in Cloud Storage and BigQuery. They want to receive near-real-time alerts when such access occurs. Which two services should they use together? (Choose TWO).

Select 2 answers
A.Access Transparency
B.Cloud DLP
C.Cloud KMS
D.Cloud Audit Logs
E.Cloud Functions
AnswersA, D

Access Transparency logs provide details of Google admin access to customer content.

Why this answer

Access Transparency provides logs of Google admin access to customer content. These logs are delivered to the customer's Cloud project. Cloud Audit Logs can be used to route Access Transparency logs to Pub/Sub, and then Cloud Functions can process them for alerts.

Cloud Monitoring can create alerting policies based on log metrics. Cloud DLP is for data inspection, not for logging access. Cloud KMS is for key management.

81
Multi-Selecthard

A security engineer is designing a data residency strategy for a healthcare organization that must keep all data within the European Union. They plan to use Assured Workloads to meet this requirement. Which THREE additional controls should they implement to further enforce data residency and protect data? (Choose three.)

Select 3 answers
A.Organization policy constraint gcp.resourceLocations set to allow only European regions.
B.VPC Service Controls to prevent data exfiltration to non-approved regions.
C.Cloud HSM to store encryption keys.
D.Cloud DLP to scan for sensitive data.
E.Access Transparency logs to monitor Google personnel access to data.
AnswersA, B, E

This restricts resource creation to specified European regions.

Why this answer

To enforce data residency, you can use Organization Policy constraints to restrict resource locations, VPC Service Controls to prevent data exfiltration, and Access Transparency to monitor Google personnel access. Cloud HSM is about key storage, not residency; Data Loss Prevention is about data classification, not residency.

82
Multi-Selectmedium

A security engineer needs to implement de-identification of sensitive data in a Cloud Storage bucket using Cloud DLP. They want to inspect the data for credit card numbers and then replace them with a tokenized value that preserves the format for downstream processing. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Use the DateShiftConfig de-identification transform
B.Configure an inspection job with the built-in CREDIT_CARD_NUMBER infoType
C.Use the CryptoReplaceFfxFpeConfig de-identification transform
D.Create a custom infoType for credit card numbers
E.Use the BucketingConfig de-identification transform
AnswersB, C

Inspection identifies the sensitive data. Built-in infotype is sufficient.

Why this answer

To de-identify credit card numbers while preserving format, the engineer should use a DLP inspection job first to identify the sensitive data, then apply a de-identification transform using CryptoReplaceFfxFpeConfig which replaces the data with a token that preserves the format. The other options: BucketingConfig groups values, DateShiftConfig shifts dates, and using a custom infoType is not necessary if the built-in CREDIT_CARD_NUMBER works.

83
MCQmedium

A security engineer needs to store database credentials and API keys securely in GCP. The solution must support automatic rotation of secrets at a defined schedule and trigger a Cloud Function after each rotation to update dependent applications. Which service should they use?

A.Secret Manager
B.Cloud KMS
C.Cloud DLP
D.Cloud Storage
AnswerA

Secret Manager stores secrets, supports automatic rotation with Pub/Sub notifications to trigger Cloud Functions.

Why this answer

Secret Manager supports versioning, IAM access, and automatic rotation with Pub/Sub notifications. Cloud Functions can subscribe to the Pub/Sub topic to perform post-rotation tasks. Cloud KMS manages keys, not secrets.

Cloud DLP is for data loss prevention. Cloud Storage is not designed for secret management with rotation.

84
MCQhard

A company uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically de-identify the data as it is inserted into a new table using a DLP de-identification template. Which approach should they use?

A.Use Cloud Audit Logs to monitor insertions and manually run a DLP transformation.
B.Use Cloud DLP inspection job triggers to scan the table and send notifications.
C.Create a DLP de-identification template and apply it to the BigQuery table using a DLP job.
D.Use BigQuery column-level security with data masking rules.
AnswerC

A DLP de-identification job can read from the source table, apply the template, and write the de-identified data to a destination table.

Why this answer

Cloud DLP can be used to create a de-identification template and then apply it to data in BigQuery via a DLP job or by using the DLP API to transform data on the fly. However, to automatically de-identify data as it is inserted, a common pattern is to use Cloud Functions triggered by BigQuery streaming inserts or scheduled DLP jobs that transform the data and write to a new table.

85
MCQmedium

An organization needs to store cryptographic keys that must be protected in a FIPS 140-2 Level 3 validated hardware security module (HSM). Which Google Cloud service should they use?

A.Secret Manager
B.Cloud KMS with software-backed keys
C.Cloud External Key Manager
D.Cloud HSM
AnswerD

Cloud HSM meets FIPS 140-2 Level 3.

Why this answer

Cloud HSM provides FIPS 140-2 Level 3 validated HSM for key material. Keys are generated and stored in the HSM.

86
Multi-Selectmedium

A company needs to enforce that all data stored in Cloud Storage and BigQuery is encrypted with customer-managed keys (CMEK). Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Enable Access Transparency logs.
B.Create a Cloud HSM key to ensure FIPS 140-2 Level 3 compliance.
C.Set the organization policy constraint 'constraints/gcp.cmeKRequired' for Cloud Storage and BigQuery.
D.Use Cloud DLP to inspect and classify data.
E.Create a Cloud KMS key ring and a symmetric encryption key.
AnswersC, E

This policy ensures resources are encrypted with CMEK.

Why this answer

To enforce CMEK, a CMEK key must be created in Cloud KMS and then configured on the resources (buckets, datasets). An organization policy can also be set to require CMEK for certain services. Creating a Cloud HSM key is a type of CMEK but is not specifically required.

87
MCQmedium

A security engineer needs to ensure that sensitive columns in BigQuery are automatically masked for certain users. For example, the email column should show only the domain for users with a specific role. Which two services must be configured together?

A.Data Catalog and BigQuery Data Policy
B.Cloud IAM and VPC Service Controls
C.Secret Manager and Cloud Functions
D.Cloud DLP and Cloud KMS
AnswerA

Data Catalog creates taxonomies and policy tags; BigQuery Data Policy uses those tags to apply data masking rules.

Why this answer

BigQuery column-level security uses policy tags attached to columns, which are defined in Data Catalog taxonomies. To apply masking, you need to use BigQuery Data Policy (also known as data masking) which uses policy tags to define masking rules. Data Catalog provides the taxonomy for policy tags, while BigQuery Data Policy applies the actual masking.

IAM roles for masking are granted via the policy tags.

88
Multi-Selecthard

A company is designing a key destruction process for Cloud KMS. They need to ensure that after a key is destroyed, the ciphertext encrypted with that key becomes permanently undecryptable. They also need to allow a 7-day recovery window in case of accidental destruction. Which three steps should they take? (Choose THREE).

Select 3 answers
A.Schedule destruction of the key and set a destruction period of 7 days.
B.Disable the key before scheduling destruction.
C.Use Cloud HSM to store the key material for additional protection.
D.Ensure the key is not used by any active resources before destruction.
E.Rotate the key before destruction to create a new version.
AnswersA, C, D

This sets a 7-day grace period before permanent destruction, allowing recovery.

Why this answer

Cloud KMS offers a pending destruction state with a default grace period of 24 hours, which can be extended up to 30 days. By setting a longer destruction period (e.g., 7 days), the key remains in pending destruction state and can be restored. After the grace period expires, the key is destroyed permanently.

Disabling the key prevents use but allows re-enabling. Rotation does not affect destruction. Using Cloud HSM is not directly related to destruction timing.

89
MCQhard

A security team wants to automatically rotate a database password stored in Secret Manager every 60 days and notify the operations team when a new version is created. Which approach should they use?

A.Set a rotation period on the secret and configure a Pub/Sub topic for notifications; use a Cloud Function to generate new password
B.Use Cloud Scheduler to call Secret Manager API to add a new version
C.Use Cloud KMS key rotation to rotate the secret
D.Manually update the secret every 60 days
AnswerA

Secret Manager rotation with Pub/Sub and Cloud Function automates password generation and notification.

Why this answer

Secret Manager supports automatic rotation with a Pub/Sub topic. You can set a rotation period (e.g., 60 days) and a Pub/Sub topic for notifications. A Cloud Function can listen to the topic and update the password.

Secret Manager can also call a user-provided Cloud Function to generate the new secret version.

90
MCQmedium

A company using Cloud KMS wants to automatically rotate a symmetric encryption key every 90 days. What is the correct way to configure this?

A.Set the key purpose to ASYMMETRIC_SIGN for automatic rotation
B.Set the rotation period to 90 days when creating the key ring
C.Use Cloud Scheduler to call `cloudkms.rotateKey` every 90 days
D.Set the rotation period on the cryptographic key to 90 days
AnswerD

Setting rotation period on the key enables automatic rotation.

Why this answer

Cloud KMS supports automatic rotation by setting a rotation period on the key. The key's primary version will be rotated automatically at the specified interval.

91
MCQhard

An engineer needs to destroy a Cloud KMS key immediately due to a security incident. They disable the key and then schedule destruction. What is the default waiting period before the key is permanently destroyed?

A.Immediate destruction
B.24 hours
C.7 days
D.30 days
AnswerB

The default pending destruction period is 24 hours.

Why this answer

In Cloud KMS, when you schedule destruction of a key version, there is a default pending destruction grace period of 24 hours. During this time, you can cancel destruction. The key is not immediately destroyed.

92
MCQeasy

A security engineer needs to view logs of Google Cloud support engineers accessing their data to meet compliance requirements. Which GCP feature should they enable?

A.Access Approval
B.Access Transparency
C.Audit Logs
D.VPC Flow Logs
AnswerB

Access Transparency logs Google admin access to customer content.

Why this answer

Access Transparency provides near-real-time logs of Google admin access to customer content. It is available for certain services like Compute Engine, Cloud Storage, BigQuery, etc. Audit Logs record actions performed by users in the customer's project, not Google staff.

Access Approval is a separate feature that allows customers to approve or deny access requests. VPC Flow Logs record network traffic, not admin access.

93
MCQmedium

A company uses Cloud KMS with a key purpose of ENCRYPT_DECRYPT. They want to rotate the key automatically every 90 days. What must the security engineer configure to achieve this?

A.Use a key with ASYMMETRIC_SIGN purpose
B.Set the key version state to 'disabled' after 90 days
C.Manually rotate the key every 90 days using gcloud command
D.Set the rotation period on the key to 7776000 seconds
AnswerD

Automatic rotation is configured by setting a rotation period on the key. 90 days = 7776000 seconds.

Why this answer

In Cloud KMS, key rotation can be automatic by setting a rotation period on a key. The rotation period is configured in seconds (e.g., 90 days = 7776000 seconds). Manual rotation via the console or API is not automatic.

The key purpose does not affect rotation capability; ENCRYPT_DECRYPT supports rotation.

94
MCQmedium

After deleting a Cloud KMS key version, an engineer receives an error when trying to decrypt data that was encrypted with that key version. The key version was deleted 12 hours ago. What is the most likely cause?

A.The key version was automatically rotated and is no longer the primary.
B.The key version is disabled and needs to be re-enabled.
C.The key version is in a pending destruction state and can be restored within 24 hours.
D.The key version was destroyed immediately upon deletion because the grace period is configurable.
AnswerD

If the key version was deleted (not scheduled for destruction), it is destroyed immediately. The grace period only applies when scheduling destruction.

Why this answer

When a key version is destroyed before the grace period expires, it is destroyed immediately. The default grace period is 24 hours, but if the key version was deleted (not scheduled for destruction), it may have been destroyed immediately. Cloud KMS does not allow recovery after destruction.

95
MCQhard

A company uses Cloud KMS with an HSM key for encryption of sensitive data. The compliance team requires that the key material never leaves the HSM boundary. They plan to use the key for symmetric encryption/decryption. Which key purpose should they specify when creating the key?

A.ASYMMETRIC_SIGN
B.ASYMMETRIC_DECRYPT
C.MAC
D.ENCRYPT_DECRYPT
AnswerD

This is the purpose for symmetric encryption/decryption, and HSM keys support it.

Why this answer

For symmetric encryption/decryption, the key purpose must be ENCRYPT_DECRYPT. ASYMMETRIC_SIGN and ASYMMETRIC_DECRYPT are for asymmetric keys. MAC is for message authentication codes.

Only ENCRYPT_DECRYPT supports symmetric operations.

96
MCQmedium

A company uses Cloud KMS with a key purpose of ENCRYPT_DECRYPT. They need to rotate the key automatically every 30 days. What must they configure?

A.Set a rotation period of 30 days on the key.
B.Use a cron job to rotate keys manually every 30 days.
C.Set a rotation period of 30 days on the key ring.
D.Set a rotation period on the key version.
AnswerA

Setting the rotation period on the key enables automatic rotation every 30 days.

Why this answer

Option A is correct because Cloud KMS allows you to set a rotation period directly on a key (a CryptoKey resource) when its purpose is ENCRYPT_DECRYPT. Configuring a rotation period of 30 days on the key enables automatic, scheduled rotation, where Cloud KMS creates a new key version every 30 days and promotes it to primary, without any manual intervention.

Exam trap

Cisco often tests the distinction between key-level and key-ring-level configurations, and the trap here is that candidates mistakenly think rotation is set on the key ring or on individual key versions, when in fact it is always set on the CryptoKey resource itself.

How to eliminate wrong answers

Option B is wrong because using a cron job to rotate keys manually every 30 days is unnecessary and error-prone; Cloud KMS provides native automatic rotation, and manual rotation via cron would require custom scripting and API calls, defeating the purpose of managed rotation. Option C is wrong because rotation periods are set on the key (CryptoKey), not on the key ring; a key ring is a logical grouping of keys and does not have a rotation period property. Option D is wrong because rotation periods are configured on the key itself, not on individual key versions; key versions are immutable snapshots created during rotation, and you cannot set a rotation schedule on a version.

97
MCQeasy

An organization needs to store API keys for external services. Which Google Cloud service is designed for secure storage of secrets such as API keys, passwords, and certificates?

A.Cloud KMS
B.Secret Manager
C.Cloud Datastore
D.Cloud HSM
AnswerB

Secret Manager is the correct service for storing secrets.

Why this answer

Secret Manager is specifically designed for storing secrets like API keys, passwords, and certificates, with versioning, IAM access control, and rotation support.

98
Multi-Selectmedium

A security engineer wants to ensure that sensitive data in BigQuery is masked for analysts but visible in full to data stewards. Which two components must be used together? (Choose TWO.)

Select 2 answers
A.Data Catalog taxonomy with policy tags
B.BigQuery Data Policy with masking rules
C.Cloud DLP de-identification templates
D.IAM roles with conditions on table
E.Cloud KMS key for encryption
AnswersA, B

Policy tags are used to classify columns and control access.

Why this answer

BigQuery column-level security requires a Data Catalog taxonomy with policy tags, and then BigQuery Data Policy to define masking rules (e.g., email masking). Policy tags alone provide access control but not masking; data policies provide the masking.

99
MCQmedium

A company uses Cloud DLP to de-identify a dataset containing customer phone numbers. They need to replace each phone number with a consistently masked value that preserves the format (e.g., XXX-XXX-1234) but cannot be reversed. Which de-identification transform should they use?

A.DateShiftConfig
B.MaskingConfig
C.CryptoReplaceFfxFpeConfig
D.BucketingConfig
AnswerB

MaskingConfig replaces characters with a mask character, preserving formatting and not reversible.

Why this answer

MaskingConfig is the correct choice because it irreversibly replaces characters in a string while preserving the format. In this scenario, the customer phone numbers need to be consistently masked (e.g., replacing all but the last four digits with 'X') so that the output maintains the pattern XXX-XXX-1234, and the original value cannot be recovered. MaskingConfig supports character-level replacement with a fixed character (like 'X') and can preserve the original length and formatting, which meets the requirement for a non-reversible, format-preserving de-identification.

Exam trap

Cisco often tests the distinction between reversible (CryptoReplaceFfxFpeConfig) and irreversible (MaskingConfig) transforms, and candidates mistakenly choose CryptoReplaceFfxFpeConfig because it preserves format, but they overlook the 'cannot be reversed' requirement.

How to eliminate wrong answers

Option A is wrong because DateShiftConfig is specifically designed for shifting dates by a random or deterministic offset, not for masking or formatting phone numbers. Option C is wrong because CryptoReplaceFfxFpeConfig uses Format-Preserving Encryption (FFX) which is reversible with the correct key, contradicting the requirement that the masked value cannot be reversed. Option D is wrong because BucketingConfig replaces a value with a general bucket or range (e.g., '555-555-XXXX'), which does not preserve the specific format of the original phone number (e.g., it would lose the last four digits' exact pattern).

100
MCQhard

An organization stores sensitive customer data in BigQuery tables. They need to enforce column-level security such that users in the 'support' group see a masked version of email addresses (e.g., j***@example.com), while managers see the full email. Which approach should they use?

A.Create a view that applies masking functions and grant access to the view.
B.Use Cloud DLP to scan and de-identify the data in place.
C.Apply a BigQuery data masking policy using policy tags on the email column.
D.Create separate tables for each role and populate them with appropriate data.
AnswerC

Data masking policies allow dynamic masking based on the user's role when querying the table.

Why this answer

BigQuery column-level security with policy tags and data masking rules can achieve this. Data masking policies can be applied to policy tags to mask data based on user access. Using views or separate tables is less maintainable, and Cloud DLP is for batch scanning/de-identification, not real-time masking.

← PreviousPage 2 of 2 · 100 questions total

Ready to test yourself?

Try a timed practice session using only Pcse Data Protection questions.