Professional Cloud Architect · Domain 3 · 17.5% of exam

Designing for security and compliance

Drill 20 practice questions focused entirely on Designing for security and compliance for the Google Cloud PCA exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A financial services company must satisfy a regulator's requirement that any access to their data by the cloud provider's support and engineering staff be logged, justified, and subject to explicit customer approval before the access occurs. The compliance team also wants near-real-time visibility into these provider-initiated access events. Which combination of Google Cloud capabilities best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 2 of 20

A US-based defense contractor is migrating a workload to Google Cloud that must comply with FedRAMP High and IL4 requirements. The security team mandates that the environment enforce data residency in US regions, restrict Google support personnel to US persons, and continuously monitor for configuration drift away from the compliance baseline. They want a Google-managed solution that packages these controls rather than assembling individual org policies and IAM constraints manually. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 3 of 20

A financial services company runs microservices on GKE and must satisfy an auditor requirement that only container images built and scanned by the approved CI/CD pipeline can be deployed to production clusters. Developers must not be able to run arbitrary or manually pushed images. Which Google Cloud approach best enforces this control at deploy time?

Reviewed for accuracy · Report an issue
Question 4 of 20

A financial services company must generate and store the cryptographic signing keys used for their digital document-signing service. Regulatory auditors require that all key material be generated and stored in hardware validated to FIPS 140-2 Level 3, and the company wants to avoid managing physical hardware while still using Cloud KMS APIs. Which Google Cloud solution meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 5 of 20

A financial services company stores all encryption keys in a dedicated 'security-keys' project managed by the central security team. An application team's project runs Compute Engine VMs whose persistent disks must be encrypted with a customer-managed encryption key (CMEK) from a key ring in the security-keys project. When the application team tries to create a disk referencing the key, disk creation fails with a permission error. What is the correct way to resolve this while maintaining centralized key management?

Reviewed for accuracy · Report an issue
Question 6 of 20

A financial services company stores customer records in Cloud Storage buckets encrypted with customer-managed encryption keys (CMEK) in Cloud KMS. To comply with a data protection regulation, when a customer requests deletion of their data, the company must guarantee that all copies—including any that may persist in backups or replicated storage—become permanently unrecoverable, and must be able to prove the data is cryptographically inaccessible. What is the most effective approach to meet this requirement?

Reviewed for accuracy · Report an issue
Question 7 of 20

A multinational bank must store customer records in Cloud Storage and BigQuery. A new regulatory requirement mandates that the bank retain sole control of the encryption keys outside of Google Cloud, so that Google can never access key material even under a lawful access request. The security team also needs the ability to instantly and permanently revoke Google's ability to decrypt the data. Which encryption approach satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 8 of 20

A financial services company stores highly sensitive customer records in Cloud Storage buckets encrypted with Cloud KMS customer-managed encryption keys (CMEK). Regulators require that any decryption of this data by cloud provider personnel or automated processes be explicitly justified and, in certain cases, blocked unless the organization approves the reason. The security team wants a mechanism where each request to use the key includes a reason code, and the organization can define policies that automatically deny key access for unapproved justification categories. Which capability should the architect implement?

Reviewed for accuracy · Report an issue
Question 9 of 20

A financial services company must comply with a regulation requiring that the team managing encryption keys be different from the team that operates the applications consuming those keys. Application workloads run on Compute Engine and store data in Cloud Storage encrypted with Cloud KMS. Security auditors require proof that developers cannot administer or destroy keys, while applications can still perform encrypt/decrypt operations. Which IAM design best satisfies these separation-of-duties requirements?

Reviewed for accuracy · Report an issue
Question 10 of 20

A defense contractor must store classified project data in Google Cloud but is contractually required to retain sole physical custody of all encryption keys, with keys never leaving their on-premises hardware security module. They also need the ability to instantly revoke Google's access to the plaintext data by cutting off key access, and they must prove that Google cannot decrypt data without their live authorization. Which key management approach satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial services company ingests customer support chat transcripts into a BigQuery dataset used by data analysts to build product improvement dashboards. Compliance requires that analysts must never see raw personally identifiable information (PII) such as credit card numbers, national IDs, and email addresses, but the analytics must remain useful (aggregations, trends). The security team wants a scalable, managed approach that transforms the sensitive fields before analysts query them, while preserving the ability to correlate records. What should the architect recommend?

Reviewed for accuracy · Report an issue
Question 12 of 20

A financial services company is drafting a security whitepaper for auditors. The auditors ask how Google Cloud protects customer data stored in Cloud Storage and Persistent Disk by default, without the customer configuring anything. The architect must accurately describe the default encryption-at-rest mechanism. Which statement correctly describes Google Cloud's default data-at-rest encryption?

Reviewed for accuracy · Report an issue
Question 13 of 20

A financial services company stores sensitive customer statements in Cloud Storage buckets. During a security review, auditors find that individual objects have inconsistent legacy ACLs, making it impossible to reason about who can access data at scale. The security team wants to enforce access exclusively through IAM policies at the bucket level and eliminate per-object ACLs going forward, while ensuring the setting cannot be casually reverted by bucket owners. What should the architect recommend?

Reviewed for accuracy · Report an issue
Question 14 of 20

A European retail company stores customer profiles and purchase history in Cloud Storage and BigQuery. Under GDPR, customers can submit a 'right to erasure' request requiring the company to delete all their personal data across systems within a defined timeframe. The architect needs a design that guarantees a specific individual's data can be located and permanently removed on demand, while keeping the deletion process auditable. Which approach best supports this compliance requirement?

Reviewed for accuracy · Report an issue
Question 15 of 20

A financial services company runs sensitive workloads on a Google Kubernetes Engine (GKE) Standard cluster. During a compliance audit, the security team learns that Kubernetes Secrets (containing API tokens and database passwords) are stored in etcd only base64-encoded, not encrypted with a key the company controls. Regulators require that any at-rest secret material be protected by a customer-managed encryption key with the ability to disable access. What should the architect implement to meet this requirement with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 16 of 20

A healthcare startup is building a patient-record analytics platform on Google Cloud and must comply with HIPAA. Their compliance officer wants to ensure that every Google Cloud product used to store, process, or transmit electronic protected health information (ePHI) is legally permitted under HIPAA. As the cloud architect, what is the correct first step to establish this compliance foundation?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services company runs a Google Cloud project containing production BigQuery datasets. During quarterly audits, external auditors require read-only access to specific datasets, but only for a two-week window each quarter. The security team wants to grant this access without manually revoking it afterward, without creating standing permissions, and while maintaining least privilege. What is the most appropriate way to grant this access?

Reviewed for accuracy · Report an issue
Question 18 of 20

A financial services company must grant its internal audit team the ability to read configuration and metadata across all projects in an organization to verify controls, but auditors must never be able to modify resources or read customer data. The security team wants to avoid over-provisioning that comes with broad predefined roles. Which approach best follows least-privilege while satisfying the auditors' need for org-wide read visibility?

Reviewed for accuracy · Report an issue
Question 19 of 20

A financial services company grants broad Editor roles to several project owners for agility. The security team must ensure that, regardless of any IAM allow bindings, no principal outside the company's security group can ever delete Cloud KMS keys or key versions across the entire organization — even if a project owner mistakenly grants such permissions. Which approach best enforces this organization-wide restriction?

Reviewed for accuracy · Report an issue
Question 20 of 20

A security review at a financial services company reveals that many members have been granted broad predefined roles like roles/editor on production projects, but most only use a small subset of permissions. Leadership wants a data-driven, ongoing process to safely reduce these members to least privilege without breaking active workloads. Which Google Cloud approach best meets this requirement?

Reviewed for accuracy · Report an issue

More PCA practice

Keep going with the other Professional Cloud Architect domains, or take a full timed mock exam.

← Back to PCA overview