GCP Professional Cloud Security Engineer Practice Question

A financial-services company is creating a responsibility matrix for three Google Cloud workloads: (1) a batch engine on Compute Engine VMs, (2) a web app on App Engine standard environment, and (3) corporate email in Google Workspace. Which security control will the company manage only for the Compute Engine workload, will become Google's responsibility on App Engine, and is already fully handled by Google for Google Workspace?

Turning on and reviewing Access Transparency logs for provider support actions.
Ensuring that Google-managed encryption keys are enabled for data at rest.
Maintaining the physical security and environmental controls of the data centers.
Hardening and regularly patching the guest operating system.

Report Issue

Answer Description

Under Google Cloud's shared responsibility model, guest operating-system hardening and patching is the customer's duty for IaaS offerings such as Compute Engine because the customer controls the VM image and operating system layer. In the App Engine standard environment, Google manages the underlying OS and runtime, so responsibility for OS patching shifts to Google. For SaaS offerings like Google Workspace, Google already manages the entire application stack, including the operating system.

Encrypting data at rest with Google-managed keys and protecting data-center facilities are always Google's responsibilities across IaaS, PaaS, and SaaS, so they do not meet the "Compute Engine only" criterion. Access Transparency must be enabled and monitored by the customer for any eligible service, so that task remains with the customer across all three workloads.

Therefore, guest operating-system hardening and patching is the only control uniquely managed by the customer on Compute Engine but not on App Engine or Google Workspace.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.