GCP Professional Cloud Architect Practice Question

Your company, a German financial-services provider, is migrating its on-premises analytics stack to Google Cloud. Regulators require that all customer data and the keys that encrypt it remain within the European Union. Data scientists must be able to spin up new projects on demand without opening support tickets. The target architecture uses BigQuery for analytics and Cloud Storage for raw data, both protected with Cloud KMS customer-managed keys (CMEK). Which approach best satisfies the data-sovereignty mandate while letting teams create new projects autonomously?

Rely on Google-managed encryption keys, create all BigQuery datasets in the EU multi-region, and enable VPC Service Controls to block access from non-EU IP ranges.
Publish a project creation template that pre-selects europe-west3 for new resources and enables object versioning on Cloud Storage; allow teams to adjust regions if needed.
Create Cloud KMS key rings in us-central1, use them to encrypt BigQuery datasets and Cloud Storage buckets located in the EU multi-region, and restrict network egress with firewall rules.
Set the organization-wide constraint "constraints/gcp.resourceLocations" to allow only the EU multi-region and europe-west* regions; create Cloud KMS key rings in an EU region and enforce CMEK usage for BigQuery and Cloud Storage; place all analytics projects in a VPC Service Controls perimeter.

Report Issue

Answer Description

Regulatory data-sovereignty requirements are met only when both the data and the CMEK key material stay inside the EU. Enforcing the Organization Policy constraint "constraints/gcp.resourceLocations" to EU locations prevents any resource-including BigQuery datasets and Cloud Storage buckets-from being created outside the union, even by future projects. Requiring CMEK for BigQuery and Cloud Storage, together with key rings created in an EU region such as europe-west3, guarantees that encryption keys are also resident in the EU. VPC Service Controls further guard against accidental data egress but do not by themselves stop resources or keys from being created in other regions. Relying on Google-managed keys or using CMEK key rings in non-EU regions violates the residency requirement. Simply setting default regions in project templates is insufficient because users could override them unless an organization policy enforces the constraint.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.