Professional Cloud Security Engineer · Domain 5 · 11% of exam

Supporting compliance requirements

Drill 17 practice questions focused entirely on Supporting compliance requirements for the Google Cloud PCSE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer17 questions
Question 1 of 17

A financial services company operating under strict regulatory requirements must ensure that no Google support or engineering personnel can access their customer data unless the company's own security team has explicitly granted permission for each access request. They already have Access Transparency logs enabled but want to move from passive visibility to active pre-authorization. Which capability should they configure to meet this requirement?

Reviewed for accuracy · Report an issue
Question 2 of 17

A financial services company must document to their auditors that all Google personnel access to their production data is logged. Their compliance team wants to enable Access Transparency logs across the organization. During the enablement review, the security engineer discovers that Access Transparency is not available to activate for the organization. What is the most likely prerequisite the company has not met?

Reviewed for accuracy · Report an issue
Question 3 of 17

A financial services company is preparing documentation for an external auditor who is assessing the organization's ability to demonstrate oversight of any Google personnel access to customer content. The security team has already enabled Cloud Audit Logs (Admin Activity and Data Access). The auditor specifically asks for evidence showing when Google support or engineering staff accessed customer content, along with the justification for that access. Which action provides the required evidence?

Reviewed for accuracy · Report an issue
Question 4 of 17

A financial services company must demonstrate to auditors that they have visibility into any actions Google Cloud support or engineering personnel take on their data, and that such access requires explicit organizational sign-off before it occurs. The compliance team has already enabled Access Transparency logs across the organization. During an audit rehearsal, they realize they cannot show evidence that Google personnel access was ever gated on their own approval. Which additional capability should they enable to meet the requirement that Google personnel access be explicitly authorized by the organization before it happens?

Reviewed for accuracy · Report an issue
Question 5 of 17

A healthcare organization runs regulated workloads in an Assured Workloads folder configured for a US-based compliance regime. During a routine audit, the compliance team must demonstrate to regulators that Google support and engineering personnel cannot access customer content without a documented business justification, and that any such access is logged with a reason code. Which capability should the team point to as evidence of this control?

Reviewed for accuracy · Report an issue
Question 6 of 17

A healthcare company runs regulated workloads in an Assured Workloads folder configured for a specific compliance regime. The compliance team needs an automated way to be alerted when a resource is created or modified in a way that violates the Assured Workloads controls (for example, a resource deployed outside the approved region), so they can document and remediate the drift. Which capability should they use?

Reviewed for accuracy · Report an issue
Question 7 of 17

A financial services company already runs several production projects in a Google Cloud organization. New regulations now require that a subset of these workloads meet a specific compliance regime with strict data residency and personnel access controls. The security team wants to bring these workloads under Assured Workloads with the least effort while ensuring compliance controls are actually enforced. What is the correct approach?

Reviewed for accuracy · Report an issue
Question 8 of 17

A healthcare company is deploying a new analytics platform on Google Cloud that must comply with a regional data sovereignty regulation requiring that all cryptographic key material be generated, stored, and controlled outside of Google's infrastructure and remain in the customer's jurisdiction. The security team has created an Assured Workloads folder configured for the appropriate compliance regime. During design review, an architect asks how encryption keys should be managed to satisfy the requirement that Google must never have access to unwrapped key material. Which approach should the team adopt?

Reviewed for accuracy · Report an issue
Question 9 of 17

A European financial services company must onboard to Google Cloud while meeting EU digital sovereignty requirements. Their legal team mandates that data storage and processing remain within EU boundaries, that Google support personnel access is restricted to EU-based staff, and that customer approval is required before any Google administrator can access data during support operations. Which approach best satisfies these compliance requirements with the least custom engineering effort?

Reviewed for accuracy · Report an issue
Question 10 of 17

A U.S. federal contractor must run a new workload on Google Cloud under FedRAMP Moderate authorization. During planning, an engineer proposes using an Assured Workloads folder configured for the FedRAMP Moderate control package. A developer asks to deploy a Google Cloud service that is NOT on the list of products supported by that Assured Workloads compliance regime. What is the correct guidance for maintaining compliance within the Assured Workloads folder?

Reviewed for accuracy · Report an issue
Question 11 of 17

A US federal contractor must run a new workload in Google Cloud that handles Controlled Unclassified Information (CUI). Compliance requires that the data remain within US regions, that only US-based Google support personnel who have passed government background checks can access the environment, and that the control package aligns with the DoD Impact Level 4 (IL4) framework. The security team wants Google to enforce these constraints programmatically at folder creation rather than relying on manually applied org policies. What should they do?

Reviewed for accuracy · Report an issue
Question 12 of 17

A financial services company must demonstrate to auditors that all administrative configuration changes to Google Cloud resources over the past 18 months can be produced on demand. The compliance team discovers that Admin Activity audit logs are being relied upon for this evidence, but is concerned they will not satisfy the 18-month retention requirement. Which action correctly addresses this concern while minimizing operational overhead?

Reviewed for accuracy · Report an issue
Question 13 of 17

A financial services company must demonstrate to auditors that all reads and writes to a specific set of BigQuery datasets holding regulated customer data are logged, without incurring the cost and volume of enabling Data Access logs across every service in the organization. Their compliance mandate applies only to those datasets. What is the recommended approach to configure Data Access audit logs to satisfy this requirement efficiently?

Reviewed for accuracy · Report an issue
Question 14 of 17

A compliance auditor asks your team to demonstrate which Cloud Audit Logs categories are always captured for a GCP organization without any administrator action to enable them, and which cannot be disabled. During a review, a security engineer claims that all audit log types must be explicitly enabled before they generate entries. Which statement correctly describes the default and configurability behavior of Cloud Audit Log types that you should document for the auditor?

Reviewed for accuracy · Report an issue
Question 15 of 17

A financial services company must demonstrate continuous compliance with the PCI DSS framework for a set of Google Cloud projects. The compliance team needs an automated way to assess resource configurations against PCI DSS control requirements and to generate downloadable evidence and control-mapping reports for external auditors, without building custom scripts. Which Google Cloud capability best meets this requirement?

Reviewed for accuracy · Report an issue
Question 16 of 17

A financial services company must provide external auditors with Google's third-party attestation documents (SOC 2 Type II, ISO 27001, PCI DSS) to demonstrate that the underlying cloud infrastructure meets shared-responsibility control requirements. The compliance team needs a self-service way to obtain these certifications and audit reports directly from Google Cloud without opening a support case. Which approach should they use?

Reviewed for accuracy · Report an issue
Question 17 of 17

A financial services company must retain evidence that all read and write operations on customer data across every project in their Google Cloud organization are logged for a regulatory audit. The compliance team discovers that while Admin Activity logs are captured everywhere, Data Access logs are inconsistently enabled — some project owners enabled them, others did not. Auditors require a consistent, organization-wide guarantee going forward without relying on individual project owners. What is the most effective way to meet this requirement?

Reviewed for accuracy · Report an issue

More PCSE practice

Keep going with the other Professional Cloud Security Engineer domains, or take a full timed mock exam.

← Back to PCSE overview