Security & Compliance
The four data-security concerns, one model
Picture a BigQuery dataset that holds customer orders with email addresses and card numbers, feeding a pipeline whose service account writes nightly. Securing it on Google Cloud always comes down to the same four questions, and the rest of this page is one question per section: who can act on the data (access), who holds the key that encrypts it (encryption), how the sensitive values themselves are protected when data leaves the table (privacy), and where the data may live and what can cross its boundary (residency and isolation). Underneath all four sits the project, dataset, and table layout that decides where every control attaches.
Keep these four as distinct concerns rather than blurring them, because the exam loves to offer a control from the wrong concern. Access (Cloud IAM) decides who, but it does nothing once data is in a query result. Encryption is always on, so its only design choice is key ownership, not whether to turn it on. Privacy controls (Sensitive Data Protection, column-level security) act on the values themselves and survive an export. Residency and isolation (dataset location, Organization Policy, VPC Service Controls) constrain place and movement, independent of who holds a valid credential.
| Concern | Question it answers | Primary controls |
|---|---|---|
| Access | Who can act on this resource? | Cloud IAM[1] roles, hierarchy inheritance, deny policies |
| Encryption | Who owns the key? | Google-managed keys, CMEK in Cloud KMS[2], CSEK, Cloud HSM/EKM |
| Privacy | How are the values themselves protected? | Sensitive Data Protection[3], BigQuery column-level security, dynamic masking |
| Residency & isolation | Where can data live, what crosses the boundary? | Dataset location, Organization Policy[4], VPC Service Controls[5] |
A question that says "a user with valid permissions can still not query the table from outside the network" is pointing at the residency-and-isolation concern (VPC Service Controls), not at IAM, because IAM already said yes.
Access: IAM on datasets, buckets, and the hierarchy
Cloud IAM grants a role (a bundle of permissions) to a principal (a user, group, or service account) on a resource; you never grant a bare permission. The reusable rule for least privilege is to bind the narrowest role at the lowest resource that satisfies the need: roles/bigquery.dataViewer on one dataset, not roles/editor on the project.
Inheritance sets the blast radius
The Google Cloud resource hierarchy runs organization > folders > projects > resources, and an IAM allow policy set on a node is inherited by everything beneath it. A role granted at the folder applies to every project under that folder, so the level you bind at, not just the role you pick, decides the blast radius. This is why dev/prod separation is a security control and not just tidiness: a role scoped to the production folder cannot touch development resources.
Both BigQuery and Cloud Storage expose resource-level IAM below the project. A BigQuery dataset (and, finer still, a table or view) takes its own IAM grants, and a Cloud Storage bucket takes bucket-level IAM, so a pipeline's service account can be scoped to exactly the dataset it reads and the bucket it writes. Prefer bucket-level uniform IAM[6] over legacy per-object ACLs for buckets that back a data lake.
Allow is additive; deny wins
Allow policies only ever add permissions; they cannot subtract one. To guarantee a permission is blocked, attach an IAM deny policy[7] at the organization, folder, or project. IAM evaluates deny rules before allow rules, so a matching deny blocks the permission no matter what role was granted, including an inherited Owner. A deny rule applies when its condition is true or cannot be evaluated, and exceptionPrincipals carves out break-glass identities. Do not try to undo an over-broad grant by layering more allow grants; that never removes the original.
Encryption: default at rest, then key ownership
Encryption is never the decision; key ownership is. Google Cloud encrypts all customer data at rest by default[8] with AES-256 and no action from you, using envelope encryption: a data encryption key (DEK) encrypts the data, and a key encryption key (KEK) wraps the DEK. The only design choice is who controls the KEK.
The three key-ownership tiers
With Google-managed keys, Google holds and rotates the KEK; there is nothing to set up and no key for you to lose. With customer-managed encryption keys (CMEK) in Cloud KMS, you own the KEK: you can rotate it on a schedule, disable it, and destroy it, and destroying or disabling it makes the protected data permanently unreadable, which is crypto-shredding. With customer-supplied encryption keys (CSEK), you pass a raw key with each request and Google never stores it, so losing it loses the data. Reach for CMEK when a regulator demands auditable key control or rotation; stay on Google-managed keys otherwise, because CMEK adds key IAM, a rotation schedule, and an availability dependency on Cloud KMS.
When a stronger key boundary is mandated
If a control mandates a hardware-backed key, Cloud HSM[9] stores the CMEK in a cluster of FIPS 140-2 Level 3 certified hardware security modules. If the key must live outside Google Cloud entirely, Cloud EKM (External Key Manager) keeps it in a third-party key manager and Cloud KMS calls out to it. Plain CMEK is a software-protected key inside Cloud KMS. The common confusion is CMEK versus CSEK: CMEK keys are stored and managed in Cloud KMS, while CSEK keys are supplied per request and never stored by Google.
In BigQuery you set CMEK at the dataset level so new tables inherit it; in Cloud Storage you set a default CMEK on the bucket.
Privacy: de-identify PII and mask columns
IAM decides who opens a table, but once a value is in a query result, an export, or a downstream dataset, IAM no longer protects it. Privacy controls act on the sensitive values themselves, so the protection travels with the data.
Sensitive Data Protection finds and de-identifies
Sensitive Data Protection[3] (formerly Cloud DLP) discovers and classifies sensitive data across BigQuery, Cloud Storage, and Datastore, and can inspect streaming content inline. It matches built-in infoTypes such as credit-card number or national ID, then de-identifies what it finds. The de-identification techniques are masking (replace characters), redaction (remove the value), bucketing (generalize, for example an exact age to an age range), date shifting (move dates by a consistent random offset), and tokenization. Tokenization (also called pseudonymization) swaps a value for a token while keeping a consistent mapping, so the same input always yields the same token and the original can be recovered if the format-preserving or cryptographic method permits, all without exposing the raw value. Use this when you must analyze data that contains PII but the analysts should never see the raw identifiers.
Column-level control inside BigQuery
For per-column governance without copying data, BigQuery column-level security[10] tags sensitive columns with policy tags from Data Catalog and grants the Fine-Grained Reader role only to principals allowed to read them; everyone else cannot select the column. Dynamic data masking[11] goes further by returning an obfuscated value (nulled, hashed, or default) at query time based on the caller's role, so the same query shows real data to one role and masked data to another, with no second copy of the table. Reach for these inside the warehouse; reach for Sensitive Data Protection when the data lives in Cloud Storage, spans services, or needs a one-time bulk de-identification job.
Residency, isolation, and the project architecture
Two scenarios on this exam look like access control but are not: "data must stay in the EU" and "a user with valid permissions still cannot reach the data from outside the perimeter." The first is residency, the second is isolation, and both are governed independent of IAM.
Pin residency at creation and enforce it from above
A BigQuery dataset's location is fixed when the dataset is created and cannot be changed afterward; moving data to another region means creating a new dataset there and copying. Choosing the location per dataset is necessary but not enough at scale, because nothing stops a team from creating one in the wrong region. The Organization Policy[4] resource-location constraint set at the organization or folder forces every project below to provision resources only in allowed regions, which is how residency becomes enforced rather than advisory. Organization Policy governs what configuration is allowed (the what), while IAM governs who can act (the who); they are complementary, and a list/boolean constraint inherits to all descendants of the node it is set on.
When a requirement is residency only, the location constraint is the answer. Only when a scenario needs location AND access AND personnel guarantees together (for example an EU Data Boundary that also restricts which Google staff can act) do you reach for Assured Workloads[12], which is heavier and tied to specific compliance regimes.
Isolate the boundary with VPC Service Controls
VPC Service Controls[5] draws a service perimeter around projects and their Google-managed services. Communication inside the perimeter is free; communication across it is blocked by default. The key property is that it is context-based and independent of IAM: a caller with valid IAM permissions is still blocked across the perimeter, which makes it the data-exfiltration control. Controlled exceptions are ingress and egress rules, and dry-run mode logs would-be blocks before you enforce. Note what it does not do: it governs Google API access (for example a bigquery.googleapis.com request), not packet-level traffic between VMs, which remains the job of VPC firewall rules.
Architect projects for governance
Keep development and production in separate projects so a test job can never read or corrupt production data, and so IAM, quotas, billing, and audit logs are scoped cleanly per environment. A folder per environment lets one inherited IAM and Organization Policy set govern every project beneath it. Within an environment, model datasets and tables so the natural IAM boundary, a dataset-level grant, matches how teams actually share data, rather than dumping everything into one dataset and trying to claw back access table by table.
Four governance concerns for data security on Google Cloud
| Concern | Primary control | What it decides | Key trap |
|---|---|---|---|
| Access (who) | Cloud IAM roles on the resource + hierarchy inheritance | Which principals can act on a dataset, table, or bucket | Binding a broad role high in the hierarchy widens the blast radius |
| Encryption (key ownership) | Google-managed keys / CMEK in Cloud KMS / CSEK | Who holds and can destroy the key (data is always encrypted) | Assuming you must enable encryption; it is already on by default |
| Privacy (the data itself) | Sensitive Data Protection; BigQuery column-level security + masking | How PII is found and de-identified before sharing/analysis | Relying on IAM alone once data leaves the table in a result |
| Residency & isolation (where) | Dataset location + Organization Policy location constraint; VPC Service Controls | Which regions hold data and what crosses the perimeter | Trying to move a dataset's location after creation |
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Grant the narrowest IAM role at the lowest resource that meets the need
Cloud IAM grants a role (a bundle of permissions) to a principal on a resource; you never grant a bare permission. For least privilege, bind the narrowest role at the lowest level: an analyst who needs to read one BigQuery dataset gets
roles/bigquery.dataVieweron that dataset, notroles/editoron the project. Both BigQuery datasets and tables and Cloud Storage buckets expose their own resource-level IAM, so a pipeline's service account can be scoped to exactly the data it touches.Trap Granting a broad project-level role like Editor to satisfy a request that only needs read access on a single dataset, which silently exposes every other resource in the project.
- IAM roles inherit downward, so the binding level is the blast radius
An IAM allow policy set on an organization, folder, or project is inherited by every resource beneath it, so the level you bind a role at, not just the role you pick, decides how far it reaches. A role on the production folder applies to every project under it. This is why putting development and production in separate folders/projects is a real security control: a grant scoped to one environment cannot touch the other.
Trap Granting a role at the organization or folder to fix one project's access, which silently propagates the permission to every project below that node.
- An IAM deny policy is evaluated before allow and overrides any grant
Allow policies are additive only and can never subtract a permission, so the way to guarantee a block is an IAM deny policy attached at organization, folder, or project. IAM evaluates deny rules before allow rules, so a matching deny blocks the permission regardless of any role granted, including an inherited Owner. A deny applies when its condition is true or cannot be evaluated, and
exceptionPrincipalscarves out break-glass identities.Trap Trying to revoke an over-broad permission by adding more allow grants; allow is additive and never removes the original, so only a deny policy actually blocks it.
- Prefer uniform bucket-level IAM over per-object ACLs for data-lake buckets
Cloud Storage can control access either with bucket-level uniform IAM or with legacy per-object ACLs, but mixing them makes access unauditable. For a bucket backing a data lake, enable uniform bucket-level access so all access is governed by IAM at the bucket, which is consistent with how datasets are governed and far easier to reason about than thousands of per-object ACLs.
Trap Leaving per-object ACLs enabled on a data-lake bucket, which scatters access decisions across objects and defeats a single auditable IAM policy.
- All data is encrypted at rest by default; the choice is who owns the key
Google Cloud encrypts all customer data at rest automatically with AES-256 using envelope encryption (a data encryption key wrapped by a key encryption key), with no action required. Encryption is therefore never the design decision; key ownership is. The question on the exam is whether Google-managed keys suffice or a regulator requires customer-controlled keys.
- Use CMEK in Cloud KMS when you must rotate, disable, or destroy the key
Customer-managed encryption keys (CMEK) put the key encryption key under your control in Cloud KMS, so you can rotate it on a schedule, disable it, and destroy it. Destroying or disabling the CMEK makes the protected data permanently unreadable, which is crypto-shredding. Choose CMEK when a regulator demands auditable key control or rotation; default Google-managed keys are simpler and add no Cloud KMS availability dependency when no such requirement exists.
Trap Adopting CMEK purely to be more secure when no requirement exists; data is already AES-256 encrypted, and CMEK only adds key lifecycle work and a dependency on Cloud KMS availability.
6 questions test this
- Your organization is migrating 300 TB of sensitive healthcare data to Google Cloud using Transfer Appliance. Your security team requires…
- Your organization uses BigQuery with customer-managed encryption keys (CMEK) to encrypt sensitive data. You are implementing a disaster…
- Your organization is migrating 200 terabytes of healthcare data containing PHI to Google Cloud using Transfer Appliance. Security…
- Your company wants to implement crypto-shredding capabilities for customer data stored in Cloud Storage and BigQuery. This approach should…
- Your company has implemented CMEK encryption for a critical BigQuery dataset containing customer financial data. During a security incident…
- Your healthcare organization is planning a petabyte-scale data migration to Google Cloud using Transfer Appliance. Your security team…
- CMEK keys live in Cloud KMS; CSEK keys are supplied per request and never stored
Both let the customer control the key, but they differ in storage. CMEK keys are created and managed inside Cloud KMS (Google stores the wrapped key). Customer-supplied encryption keys (CSEK) are raw keys passed with each request that Google uses then discards and never stores, so losing a CSEK loses the data with no recovery. CSEK shifts all key custody to you; CMEK keeps Cloud KMS lifecycle features.
Trap Assuming Google can recover data protected with CSEK; the key is never stored, so a lost CSEK is unrecoverable, unlike a CMEK held in Cloud KMS.
- Cloud HSM gives a FIPS 140-2 Level 3 key; Cloud EKM keeps the key off Google Cloud
When a control mandates a hardware-backed key, Cloud HSM stores the CMEK in a cluster of FIPS 140-2 Level 3 certified hardware security modules. When the key must live entirely outside Google Cloud, Cloud EKM (External Key Manager) keeps it in a third-party key manager that Cloud KMS calls out to. Plain CMEK is a software-protected key in Cloud KMS, the default tier when neither hardware certification nor external custody is required.
Trap Reaching for Cloud EKM when the requirement is only a hardware-backed key; FIPS 140-2 Level 3 is satisfied by Cloud HSM inside Google Cloud, and EKM is for keeping the key outside Google entirely.
- Set CMEK at the BigQuery dataset level so new tables inherit it
Rather than configuring a key per table, set a default CMEK on the BigQuery dataset and new tables created in it inherit that key. In Cloud Storage the equivalent is a default CMEK on the bucket. This makes key control a one-time dataset/bucket configuration instead of a per-object task that someone will forget.
- Use Sensitive Data Protection to discover and de-identify PII across services
Sensitive Data Protection (formerly Cloud DLP) scans BigQuery, Cloud Storage, and Datastore, and can inspect streaming content, matching built-in infoTypes such as credit-card number or national ID. It then de-identifies findings by masking, redaction, bucketing (generalizing a value, for example an exact age to a range), date shifting, or tokenization. Reach for it when sensitive data spans services or needs a bulk de-identification job, because the protection acts on the values themselves and survives an export.
Trap Relying on IAM alone to protect PII; IAM only controls who opens the table, but the raw values remain exposed once they appear in a query result or export.
5 questions test this
- Your data engineering team needs to discover and classify sensitive data across BigQuery tables in multiple projects within your…
- Your organization uses Dataplex Universal Catalog to manage metadata across multiple BigQuery datasets containing customer information. You…
- Your retail company needs to protect customer PII in a streaming data pipeline before loading into BigQuery for analytics. The pipeline…
- Your data engineering team needs to create a reusable pipeline that scans CSV files uploaded to Cloud Storage for PII, de-identifies the…
- A healthcare company needs to de-identify patient records stored in BigQuery for research purposes while complying with HIPAA requirements.…
- Tokenization swaps a value for a consistent token without exposing the raw data
Tokenization (pseudonymization) in Sensitive Data Protection replaces a sensitive value with a token while preserving a consistent mapping, so the same input always produces the same token and records can still be joined or grouped by it. Unlike redaction or masking, the original can be recovered when the cryptographic or format-preserving method allows re-identification by an authorized party. Use it when analysts must work with the data but never see the real identifiers.
Trap Treating tokenization as the same as masking or redaction; those destroy the value, while tokenization keeps a reversible, consistent mapping for re-identification.
3 questions test this
- Your financial services company stores customer data including credit card numbers, social security numbers, and names in BigQuery tables.…
- Your healthcare organization needs to de-identify patient records before sharing them with a research partner. The data includes Social…
- Your healthcare organization needs to share patient records with a third-party research partner for analytics. The data contains social…
- BigQuery column-level security gates sensitive columns with policy tags
BigQuery column-level security tags sensitive columns with policy tags from Data Catalog and grants the Fine-Grained Reader role only to principals allowed to read them; everyone else simply cannot select the tagged column. This restricts access per column without copying the table or building separate views, keeping one governed source of truth in the warehouse.
- BigQuery dynamic data masking returns obscured values by role at query time
Dynamic data masking builds on policy tags to return an obfuscated value at query time based on the caller role, so the same query shows real data to a privileged role and masked data to others, with no second copy of the table. A caller with the BigQuery Masked Reader role sees the masked value while a Fine-Grained Reader sees the real one, and the masking rule can nullify the column, return a default for its type, or hash it (SHA-256). Choose masking over plain column-level security when lower-privileged users still need to run the query but must not see the real values.
Trap Creating duplicate masked copies or separate views per audience to hide columns, when dynamic data masking returns role-appropriate values from the single table at query time.
- A BigQuery dataset's location is fixed at creation and cannot be changed
You choose a dataset's location (a region or multi-region) when you create it, and it cannot be changed afterward; relocating data means creating a new dataset in the target location and copying. Because all tables in a dataset inherit its location, dataset location is the lever for data residency, and queries cannot join tables across locations.
Trap Assuming a dataset can be moved to another region after creation; the location is immutable, so residency must be decided up front or the dataset recreated and copied.
- Enforce residency with an Organization Policy resource-location constraint
Setting locations per dataset is not enough at scale because a team can still create resources in the wrong region. The Organization Policy resource-location constraint, set at the organization or folder, forces every project below to provision resources only in allowed regions, turning residency from advisory into enforced. Organization Policy governs what configuration is allowed (the what) while IAM governs who can act (the who); a constraint inherits to all descendants of the node it is set on.
Trap Trusting each team to pick the right region instead of setting a resource-location org policy; without the constraint nothing prevents provisioning outside the required jurisdiction.
- Use Assured Workloads only when location, access, and personnel controls are all required
When a requirement is residency alone, a resource-location Organization Policy is sufficient and far lighter. Assured Workloads is for scenarios that need location AND access AND personnel guarantees together, such as an EU Data Boundary that also restricts which Google support staff may act, enforced through control packages tied to specific compliance regimes. Reach for it only when those combined guarantees are stated, not for plain residency.
Trap Reaching for Assured Workloads when only data residency is needed; a resource-location org policy already pins the region, and Assured Workloads adds heavier access and personnel controls you were not asked for.
- VPC Service Controls blocks cross-perimeter API access even with valid IAM
A VPC Service Controls service perimeter surrounds projects and their Google-managed services: communication inside is free and communication across the boundary is blocked by default. It is context-based and independent of IAM, so a caller holding valid IAM permissions is still denied across the perimeter, which makes it the data-exfiltration control. Controlled exceptions are ingress and egress rules, and dry-run mode logs would-be blocks before enforcing.
Trap Expecting VPC Service Controls to filter packet-level VM traffic; it governs Google API access such as a BigQuery API call, while VPC firewall rules handle network packets between VMs.
8 questions test this
- Your organization is planning to deploy VPC Service Controls to protect BigQuery datasets containing sensitive customer data. Before…
- Your data engineering team is preparing to enable VPC Service Controls for a production environment containing critical BigQuery datasets…
- Your company uses Shared VPC with a host project providing network resources and multiple service projects containing BigQuery datasets and…
- Your enterprise stores sensitive customer data in BigQuery and Cloud Storage. Security requires you to prevent data exfiltration while…
- Your company operates a Shared VPC environment where the host project contains the VPC network and service projects contain BigQuery…
- Your organization stores sensitive financial data in BigQuery and Cloud Storage within a Google Cloud project. The security team requires…
- Your organization stores highly sensitive financial data in BigQuery and Cloud Storage. You need to implement VPC Service Controls to…
- You are designing a VPC Service Controls perimeter to protect BigQuery datasets containing sensitive customer data. Your organization…
- Separate development and production into different projects
Putting development and production in separate Google Cloud projects ensures a test job can never read or corrupt production data and that IAM, quotas, billing, and audit logs are scoped cleanly per environment. A folder per environment lets one inherited IAM and Organization Policy set govern every project beneath it, so controls and isolation are applied once at the folder rather than reconfigured per project.
Trap Sharing one project across dev and prod to save setup, which lets test workloads reach production data and entangles billing, quotas, and audit logs across environments.
- Model datasets and tables so the IAM boundary matches how teams share data
Because dataset-level grants are the natural BigQuery IAM boundary, group tables into datasets along the lines teams actually share data, so access is granted by dataset rather than clawed back table by table. A dataset per team or per sensitivity tier keeps the grant simple and auditable, whereas one giant dataset forces fine-grained exceptions that drift over time.
- Block service-account keys org-wide with iam.disableServiceAccountKeyCreation and override per project
Enforce constraints/iam.disableServiceAccountKeyCreation at the organization level to stop anyone from creating long-lived service-account keys, regardless of their IAM permissions; pair it with iam.automaticIamGrantsForDefaultServiceAccounts to stop default service accounts getting Editor automatically. Both are enforced by default for organizations created after May 3, 2024. Grant emergency exceptions by overriding the constraint with enforcement disabled on a specific project, not by loosening IAM.
Trap Reaching for IAM role tweaks or written policy to stop key creation when only an organization policy constraint can block it across all current and future projects.
4 questions test this
- Your organization has multiple development projects where engineers have Owner or Editor roles. Security policy requires that service…
- Your enterprise has strict data governance requirements that prohibit the creation of service account keys for data pipeline…
- Your organization recently created a new Google Cloud organization and is setting up data pipelines. The security team wants to prevent the…
- Your organization recently established a new Google Cloud organization. The security team wants to prevent teams from creating service…
- Grant the service agent CryptoKey Encrypter/Decrypter on the key, and keep KMS in its own project
To protect BigQuery (or Cloud Storage) with a CMEK key, grant that product's service account roles/cloudkms.cryptoKeyEncrypterDecrypter on the Cloud KMS key before creating the resource. Hosting the key in a separate, dedicated KMS project gives separation of duties so key administrators are not the same principals that use the key in workloads.
Trap Granting the human user or workload identity the encrypt/decrypt role instead of the product's own service agent, which is the principal BigQuery actually uses to call KMS.
3 questions test this
- Your company is implementing customer-managed encryption keys (CMEK) to protect data in BigQuery. You need to configure the necessary…
- Your company stores sensitive financial data in BigQuery and must comply with regulatory requirements mandating customer-managed encryption…
- Your company stores sensitive financial data in BigQuery and requires encryption using customer-managed keys. You need to enable CMEK…
- A CMEK key ring must sit in the exact same location as the resource it protects
Cloud KMS requires the key ring's location to match the data's location: a US multi-region BigQuery dataset or bucket needs a key ring in the US multi-region, and a us-east1 bucket needs a key ring in us-east1. A multi-region resource cannot use a regional key, and a regional resource cannot borrow a key from another region.
Trap Creating one regional key ring (e.g. us-central1) and trying to reuse it for buckets or datasets in other regions or multi-regions.
3 questions test this
- A global retail company stores inventory data in a BigQuery dataset located in the US multi-region. The company wants to implement…
- Your company stores sensitive financial data in BigQuery and requires encryption using customer-managed keys. You need to enable CMEK…
- Your organization stores sensitive healthcare data in Cloud Storage buckets across multiple regions. You are implementing CMEK encryption…
- Rotating a CMEK key does not re-encrypt existing data
Key rotation only creates a new primary version for future writes. Existing BigQuery tables keep the key version they were created with, and existing Cloud Storage objects keep their original version; only newly created tables/objects use the new version. To move existing data onto the latest version you must explicitly re-encrypt it (e.g. bq update with --destination_kms_key, or copying the data with the new key specified).
Trap Assuming automatic rotation re-encrypts old tables and satisfies a compliance requirement for current-version encryption without any further action.
4 questions test this
- Your company stores sensitive financial data in BigQuery tables using customer-managed encryption keys (CMEK) from Cloud KMS. Your…
- Your financial services company uses BigQuery for analytics and Cloud Storage for data lake storage. You have implemented CMEK encryption…
- Your organization has implemented CMEK using Cloud KMS for both BigQuery tables and Cloud Storage buckets. Your security team has set up…
- Your company has implemented customer-managed encryption keys (CMEK) using Cloud KMS for all BigQuery datasets. Your security team requires…
- Mandate CMEK for a service with restrictNonCmekServices, and pin the key project with restrictCmekCryptoKeyProjects
Add a service such as bigquery.googleapis.com to the Deny list of constraints/gcp.restrictNonCmekServices and any resource created in that service without a CMEK key is rejected, while existing resources stay accessible. Combine it with constraints/gcp.restrictCmekCryptoKeyProjects to require that the keys come only from an approved KMS project.
Trap Trying to force CMEK with IAM permissions or per-table settings instead of the organization policy constraint that fails non-CMEK resource creation.
3 questions test this
- Your data engineering team manages a BigQuery data warehouse that stores customer PII across multiple datasets. Your security policy…
- Your organization wants to enforce the use of customer-managed encryption keys (CMEK) for all new BigQuery resources across multiple…
- Your company needs to enforce that all new BigQuery resources in a specific project are protected with customer-managed encryption keys…
- BigQuery Data Access audit logs are on by default and cannot be disabled
Unlike most services where Data Access audit logs are off until you enable them, BigQuery's Data Access logs are always on and immutable, giving immediate who-accessed-what-and-when visibility. For org-wide compliance, route them with an organization-level aggregated sink using --include-children so current and future projects are covered, and remember Admin Activity and System Event logs live in the _Required bucket with a fixed 400-day retention.
Trap Enabling Data Access logs for BigQuery from scratch (or assuming they are off) when they are already capturing access by default.
3 questions test this
- Your enterprise is implementing a data governance program across Google Cloud and must track all data access activities across BigQuery…
- Your healthcare organization operates across 50 Google Cloud projects within a single organization. You must centralize all audit logs from…
- Your financial services company must track all data access to BigQuery tables containing customer financial data. Auditors require records…
- Use ingress rules for inbound partner access and a single common perimeter for the strongest exfiltration defense
VPC Service Controls ingress rules let outside principals (e.g. a partner project/service account) reach protected resources, scoped down to specific identities and read-only methods; access levels in Access Context Manager add IP-range and device-trust conditions. For maximum exfiltration protection with least overhead, prefer one common unified perimeter over many small perimeters, and diagnose blocks with the VPC-SC troubleshooter using the unique ID in the denial.
Trap Using an egress rule (outbound) when the requirement is to let an external partner read in, which is what an ingress rule controls.
6 questions test this
- Your data engineering team needs to share BigQuery datasets with an external partner organization while protecting against data…
- Your company operates a Shared VPC environment where the host project contains the VPC network and service projects contain BigQuery…
- A data engineer reports that a scheduled Dataflow job loading data from Cloud Storage to BigQuery has started failing with the error…
- Your company is deploying VPC Service Controls to protect BigQuery datasets and Cloud Storage buckets containing financial data. Multiple…
- Your data analytics team needs to access BigQuery datasets protected by VPC Service Controls from the corporate network and from managed…
- You are designing a VPC Service Controls perimeter to protect BigQuery datasets containing sensitive customer data. Your organization…
- Service Account User attaches a SA to a resource; Token Creator mints short-lived credentials to impersonate it
Grant roles/iam.serviceAccountUser on a service account so a developer can attach it to a job (like Dataflow) without being able to create, delete, or modify the account. Grant roles/iam.serviceAccountTokenCreator when someone must impersonate the account to generate short-lived credentials, for example to test locally as a production pipeline's identity without holding standing access to production data.
Trap Granting Token Creator when the user only needs to run a job under a service account, or handing out a downloaded service-account key instead of impersonation.
Also tested in
- AIF-C01 AWS Certified AI Practitioner AIF-C01
- DVA-C02 AWS Certified Developer - Associate
- SAP-C02 AWS Certified Solutions Architect - Professional
- CDL Cloud Digital Leader
- CDL Cloud Digital Leader
- PCA Professional Cloud Architect
- PCA Professional Cloud Architect
- CISSP Certified Information Systems Security Professional
References
- IAM overview
- Customer-managed encryption keys (CMEK)
- Sensitive Data Protection overview
- Organization Policy Service overview
- VPC Service Controls overview
- Cloud Storage access control
- IAM deny policies overview
- Default encryption at rest
- Cloud HSM
- BigQuery column-level security
- BigQuery dynamic data masking
- Assured Workloads overview