Ensuring data protection
Drill 20 practice questions focused entirely on Ensuring data protection for the Google Cloud PCSE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A financial services company must comply with a regulatory requirement that all cryptographic keys protecting customer payment data be generated and stored in hardware validated to FIPS 140-2 Level 3. The security team wants to use Cloud KMS to manage these keys but must ensure the private key material never exists outside a certified hardware boundary and cannot be exported. Which approach meets these requirements with the least operational overhead?
A financial services company needs to digitally sign software release artifacts so that downstream consumers can verify authenticity and integrity without ever having access to the private signing key. The security team wants Google Cloud to generate and store the private key material such that it can never be exported, while allowing external partners to obtain the public key for verification. Which Cloud KMS approach should they implement?
A development team needs to encrypt large volumes of application data (multi-gigabyte objects) at the application layer before storing them in Cloud Storage. Cloud KMS has a payload size limit of 64 KiB per encrypt/decrypt request, so calling the KMS API directly on each large object is not feasible. The security team requires that the encryption approach still centralize key control in Cloud KMS and support key rotation. What is the recommended technique?
A security engineer at a fintech company accidentally scheduled the destruction of a Cloud KMS symmetric key version that still encrypts several active BigQuery datasets and Cloud Storage objects. The destruction was initiated 6 hours ago. The engineer needs to prevent permanent data loss while following the least-disruptive supported recovery path. What should the engineer do?
A financial services company uses Cloud KMS to protect customer records. The security team requires that the engineers who manage the lifecycle of encryption keys (creating, rotating, and disabling keys) must NOT be able to use those keys to decrypt any data, enforcing separation of duties. The application service account only needs to perform cryptographic operations. How should you configure IAM to meet this requirement?
A data engineering team creates a BigQuery dataset in the US multi-region and configures it to use a customer-managed encryption key (CMEK). They created their Cloud KMS key ring in the us-central1 region. When they try to associate the key with the dataset, the operation fails. What is the most likely cause and the correct remediation?
A retail company stores customer PII in a Cloud Storage bucket within a project named 'data-prod'. Their security policy requires that all objects be encrypted with a Cloud KMS key managed in a separate, dedicated project named 'kms-central' to enforce separation of duties. When engineers upload objects to the bucket, encryption fails with a permission error. What must be configured so that objects are automatically encrypted using the CMEK from the other project?
A financial services company must comply with a regulation that requires the encryption keys protecting their BigQuery datasets to be generated and stored outside of Google Cloud, entirely under the control of the organization's on-premises third-party key management system. The security team must ensure Google never has access to the raw key material, while still enabling BigQuery to use Google's managed infrastructure. Which encryption approach should they implement?
A financial services company stores highly regulated customer data in BigQuery and Cloud Storage, encrypted with Cloud KMS CMEK keys. Auditors require that any time Google or an internal automated process attempts to use these keys to decrypt data, the company can review the stated reason for access and automatically deny requests that lack an approved business justification. Which Cloud KMS capability should the security engineer configure to meet this requirement?
A large enterprise is standardizing CMEK across hundreds of new BigQuery datasets, Cloud Storage buckets, and Compute Engine disks created by many teams. Security wants each protected resource to use its own dedicated, purpose-built Cloud KMS key that is automatically generated in the correct region and follows a consistent naming and IAM convention, without developers manually creating key rings and keys for every resource. Which approach best meets these requirements with the least operational overhead?
A financial services company must comply with a regulation requiring that the cryptographic keys protecting customer data in BigQuery and Cloud Storage be generated on the company's on-premises FIPS 140-2 Level 3 hardware security module and never exist in software form inside Google Cloud. The company still wants to use Cloud KMS to manage the key lifecycle and reference the keys as CMEK on Google Cloud resources. Which approach meets these requirements?
A financial services company encrypts all Compute Engine persistent disks with a CMEK stored in Cloud KMS. During a suspected credential compromise, the security team must immediately render all data on those disks inaccessible while preserving the ability to restore access after the incident is investigated and cleared. Which action best meets this requirement?
A financial services company has a strict compliance requirement that Google must never have the ability to independently decrypt data stored on Compute Engine persistent disks. The security team wants to supply and manage the raw encryption key material themselves, storing keys entirely outside of Google Cloud in their on-premises HSM. They must provide the key each time a disk is created, attached, or a VM is started. Which encryption approach meets these requirements?
A financial services company ingests unstructured customer support transcripts into a Cloud Storage bucket. The security team must automatically detect US Social Security Numbers and passport numbers, but their initial scans return too many false positives on internal account reference numbers that happen to match the SSN pattern. They want to reduce false positives without stopping detection of genuine SSNs. Which Sensitive Data Protection configuration change should they make?
A media company allows external partners to upload files to a Cloud Storage bucket. Compliance requires that any object containing sensitive data (credit card numbers, national IDs) never remain in the publicly writable ingestion bucket. Security wants an automated pipeline that inspects each newly uploaded object and moves clean files to a processing bucket while relocating files with sensitive findings to a restricted quarantine bucket for review. Which architecture best meets these requirements using Google-managed services?
A healthcare analytics team wants to share a de-identified copy of a patient dataset with external researchers. An 'age' column contains exact ages that, combined with ZIP code and gender, could re-identify individuals. Analysts still need to perform statistical analysis across broad age groups (0-17, 18-64, 65+). The team must transform the data using Sensitive Data Protection (DLP) while preserving analytic utility. Which de-identification transformation should they apply to the age column?
A healthcare analytics company must share a BigQuery dataset containing patient identifiers with an external research partner. The security team requires that direct identifiers (like medical record numbers) be replaced with tokens so records can still be joined across tables using the same identifier, and the original values must be recoverable later by an authorized internal team for audit purposes. The tokenization must be resistant to unauthorized reversal even if the transformed dataset is exposed. Which Sensitive Data Protection de-identification technique should they use?
A data engineering team at a healthcare analytics company must de-identify a customer email address column before loading data into BigQuery for analysts. Requirements: (1) the same email must always produce the same token so analysts can perform GROUP BY joins across tables, (2) the wrapped cryptographic key used for tokenization must never be embedded in the Sensitive Data Protection (DLP) template or stored in plaintext, and (3) the security team must be able to rotate the key material centrally. Which configuration satisfies all requirements?
A healthcare analytics team wants to share a BigQuery dataset of patient visit records with a research partner. The dataset contains admission dates and discharge dates. Researchers need to compute accurate lengths of stay and study seasonal trends, but the actual calendar dates for any individual patient must not be identifiable. Which Sensitive Data Protection (DLP) transformation should the team apply to the date fields?
A healthcare analytics team wants to load customer records containing credit card numbers into BigQuery for fraud analysis. The data scientists must be able to correlate transactions belonging to the same card across different tables (referential integrity), and an authorized security team must occasionally re-identify specific cards during confirmed fraud investigations. The solution should keep the tokenized values in the same numeric format as the original card numbers so downstream schemas remain unchanged. Which Sensitive Data Protection (DLP) de-identification technique should you configure?
More PCSE practice
Keep going with the other Professional Cloud Security Engineer domains, or take a full timed mock exam.
← Back to PCSE overview