GCP Professional Cloud Security Engineer Practice Question

A Canadian healthcare provider is migrating a diagnostics imaging archive (over 500 TB) to Google Cloud. Regulatory guidance mandates that:

All patient data must remain only within Canada at rest.
Encryption keys must be created, rotated, and deleted exclusively by the provider's security team.
The archive will be accessed by Compute Engine instances running in northamerica-northeast1 (Montréal).

Which solution best satisfies both the data-at-rest residency and encryption requirements while minimizing future compliance risk?

Create a regional Cloud Storage bucket in northamerica-northeast1, protect it with a Cloud KMS CMEK stored in the same region, and enforce an organization policy that restricts resource locations to Canadian regions only.
Create a dual-region NAM4 bucket to gain higher durability, use default Google-managed encryption, and rely on VPC Service Controls to restrict data egress.
Create a regional Cloud Storage bucket in us-central1, encrypt it with a CMEK in a global key ring, and limit access to the bucket using IAM Conditions.
Create a multi-region Cloud Storage bucket in northamerica, encrypt it with Google-managed keys, and access it from Compute Engine.

Report Issue

Answer Description

To keep data resident solely in Canada, the bucket must be placed in a Canadian single region, not a multi-region like northamerica that also stores replicas in the United States. Selecting the Montréal region (northamerica-northeast1) ensures data never leaves the country. To meet the "customer-managed keys only" requirement, the bucket must be protected with a Customer-Managed Encryption Key (CMEK) created in Cloud KMS and located in the same Canadian region. Enforcing the constraints/gcp.resourceLocations Organization Policy on the project or folder prevents any future resource creation outside Canadian regions, eliminating drift that could break compliance.

Other options fail because:

A multi-region bucket (northamerica) replicates data to U.S. regions, violating residency rules.
A U.S. region bucket breaches the "Canada only" mandate even if CMEK is used.
Relying solely on Google-managed encryption keys does not meet the requirement that the provider must create and control keys. Thus, creating a regional bucket in Montréal encrypted with a CMEK stored in the same region-and locking location with an Org Policy-is the only compliant choice.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.