GCP Professional Cloud Architect Practice Question
Your healthcare analytics team is moving a new application to Google Cloud. Patient records will arrive via HTTPS to a private GKE cluster, be archived in Cloud Storage, and later analyzed in BigQuery. No customer-managed or customer-supplied encryption keys, VPNs, or additional network controls have been planned. During a security review an external auditor asks how these data will be protected while stored and while travelling between Google services and data centers under this default design. Which statement accurately addresses the auditor's concern?
Cloud Storage provides default encryption, but BigQuery tables are left unencrypted unless you explicitly enable customer-managed encryption keys for every dataset.
Google Cloud encrypts all customer data at rest with Google-managed AES keys and secures data in transit on both public TLS connections and Google's internal backbone by default, so no extra configuration is required for baseline encryption.
Customer data is stored in plaintext unless Cloud KMS with customer-supplied keys is enabled, and network traffic remains unencrypted unless a Cloud VPN tunnel is configured.
Traffic inside individual Google data centers is encrypted, but inter-region traffic travels unencrypted unless you create Private Service Connect endpoints and use Dedicated Interconnect.
Google Cloud automatically applies multiple, transparent layers of encryption without requiring any customer action. All data written to Cloud Storage, BigQuery, and other persistent storage systems is encrypted at rest with Google-managed keys (currently using AES-256 or AES-128 data-encryption keys wrapped by regularly rotated key-encryption keys). For data in transit, Google enforces encryption on traffic between customers and Google services using TLS and also encrypts all traffic between Google data centers and within Google's private backbone. Therefore, baseline encryption objectives are met even if the project team does not configure CMEK/CSEK, VPNs, or additional network controls. The alternative statements are incorrect because: they claim data is stored in plaintext (it is not), state that BigQuery is unencrypted by default (it is encrypted), or assert that inter-region traffic on Google's backbone is unencrypted (it is also encrypted by default).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AES encryption, and how does it protect data in Google Cloud?
Open an interactive chat with Bash
How does Google Cloud enforce encryption on traffic between data centers?
Open an interactive chat with Bash
Why does Google Cloud not require customer-managed encryption keys (CMEK) for baseline security?
Open an interactive chat with Bash
What encryption standards does Google Cloud use for data at rest?
Open an interactive chat with Bash
How is data in transit encrypted on Google Cloud's internal backbone?
Open an interactive chat with Bash
What is the difference between CMEK and default encryption in Google Cloud?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .