GCP Professional Cloud Architect Practice Question

A fintech startup stores daily batches of customer-support call recordings (audio files) in a Cloud Storage bucket. Compliance policy requires that:

The original recordings must be retained for 7 years but only the security team may access them.
Analysts need daily transcripts that have all credit-card numbers and phone numbers removed so they can run SQL queries for product-quality insights in BigQuery.
The solution should minimize operational overhead and avoid custom code where possible. Which design best satisfies these requirements?

Create a Cloud Function that triggers on new objects, downloads each file, runs custom regular-expression parsing to remove PII, uploads the scrubbed file to another bucket, and periodically exports the data to BigQuery via scheduled scripts.
Schedule a weekly Dataprep job that analysts run manually to download the recordings, apply masking recipes, and reload the sanitized data into BigQuery, while retaining the source files in Standard Storage with public read disabled.
Use Cloud Composer to call an on-premises masking service that processes the recordings, then pushes both raw and redacted versions back to separate Cloud Storage buckets protected by VPC Service Controls for analyst access.
Store raw recordings in a locked-down Cloud Storage bucket with 7-year Nearline lifecycle; configure a Cloud Storage finalize event to trigger a Cloud DLP job that uses stored inspection and de-identification templates to redact credit-card and phone numbers and write sanitized transcripts to BigQuery for analyst access.

Report Issue

Answer Description

Creating a Cloud DLP job trigger that is automatically invoked by Cloud Storage notifications meets all stated goals with the least ongoing effort. The trigger uses pre-defined inspection and de-identification templates to locate credit-card numbers and phone numbers in the uploaded recordings' transcripts and to redact or tokenize them. It writes the sanitized results directly to a BigQuery table that analysts can query. The original audio remains in the raw bucket, where an IAM policy limits access to the security team, and a lifecycle rule moves objects to Nearline after 30 days for cheaper long-term retention. This approach is fully managed, requires no custom parsing code or external schedulers, and runs automatically each time new data lands. The other options introduce unnecessary complexity (custom regex in Cloud Functions), higher operational burden (manually scheduled Dataprep jobs), or off-platform processing (on-prem scrubbing), and none provide the same combination of automated inspection, de-identification, secure retention, and low maintenance.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.