Review Mode Set 2 - Google Certified Professional Cloud Architect

1. Question

Category: PCA – Designing for Security and Compliance

A healthcare organization stores patient records in a Google Cloud Storage bucket. Due to compliance regulations such as HIPAA, the organization must ensure that the data is encrypted at rest using a managed encryption key. Additionally, they need the ability to rotate encryption keys periodically without disrupting access to the data. The organization wants to follow Google-recommended practices to securely manage and rotate the encryption keys.

The data will undergo processing through Google BigQuery to facilitate analysis and reporting.

Which solution should the organization implement to meet these requirements?

Configure Cloud Storage to use AES-256 encryption with Customer-Supplied Encryption Keys (CSEK) for data encryption
Set up Google Cloud KMS to generate a cryptographic key and link this key to the Cloud Storage bucket.
Enable automatic encryption at the BigQuery level and configure it to work with encrypted data stored in Cloud Storage.
Use Google Secret Manager to store encryption keys and link them to Cloud Storage.

2. Question

Category: PCA – Designing for Security and Compliance

A company must retain IAM policy change logs in Google Cloud for 6 months to meet audit requirements. Auditors need read-only access to just the relevant log data every quarter.

The security team wants to use native services with minimal overhead and prefers a solution that supports advanced filtering and granular access control.

Which solution will meet these requirements?

Configure Cloud Logging to export Admin Activity logs to BigQuery and create authorized views with ACLs to share filtered log data with auditors.
Export audit logs to Google Cloud Storage and schedule Dataflow jobs to transform the logs and load them into a reporting dashboard.
Use Pub/Sub to stream audit log entries to a custom API that stores filtered data in Cloud SQL for downstream reporting.
Create a custom Cloud Run Function triggered by audit logs that writes policy changes into Firestore and controls access with Firestore security rules.

3. Question

Category: PCA – Designing for Security and Compliance

An enterprise recently moved to Google Cloud. The governance team needs to centrally maintain organization-wide control while allowing each department (e.g., Engineering, Finance) to manage its own IAM policies and resources independently.

Which of the following will meet the given requirement?

Delegate IAM administration at the Folder level within a single Organization, where each department is assigned its own Folder.
Use separate Organizations for each department to isolate access and allow full IAM control per team.
Create a single Organization and assign IAM policies directly at the project level across all departments.
Use a single Organization and assign IAM policies at the Organization level for centralized enforcement.

4. Question

Category: PCA – Designing and Planning a Cloud Solution Architecture

You are building a platform for a digital marketing company to support online analytical processing (OLAP) of campaign performance and customer behavior data. You plan to use Cloud Dataflow in the data processing pipeline to manage real-time and batch ingestion from various marketing data sources.

The platform must use a relational database that can efficiently operate on hundreds of terabytes of data to support complex analytical queries.

Which Google Cloud service should you use for this platform?

Google Cloud Spanner, because it is a relational database optimized for high-throughput transactional workloads.
Google BigQuery, because it is a serverless analytics platform built for querying large-scale structured data.
Google DataProc, because it runs big data processing jobs using open-source tools like Apache Spark and Hadoop.
Google Cloud Storage, because it provides scalable object storage for raw files and backups.