GCP Professional Cloud Security Engineer Practice Question
A financial-services firm must train a fraud-detection model on Vertex AI in us-central1. The raw transaction CSVs contain PCI data, and the security team demands that every copy stored in Google Cloud be encrypted with keys the company controls and can disable at any time for crypto-shredding. Data scientists will import the CSVs into a Vertex AI Tabular Dataset and run AutoML training jobs that read the dataset. Which design satisfies the requirements while minimizing ongoing operational work?
Store the CSV files in a Cloud Storage bucket protected by a CMEK key and import them into Vertex AI; the dataset will automatically inherit the bucket's CMEK configuration without further action.
Generate an asymmetric RSA key in Cloud KMS, encrypt the CSV files client-side with the public key before uploading, and disable the key version when crypto-shredding is required.
Use the default Google-managed encryption for Vertex AI resources and configure a retention policy to delete the dataset when no longer needed.
Create a symmetric Cloud KMS key in a key ring located in us-central1, grant the Vertex AI service-agent the Cloud KMS CryptoKey Encrypter/Decrypter role, and pass the key's resource ID in the encryptionSpec when calling the Vertex AI CreateDataset API.
Vertex AI lets you protect a Dataset, Model, or Endpoint with a customer-managed key by passing an encryptionSpec.kmsKeyName field when you invoke the API that creates the resource. The key must be a symmetric Cloud KMS key in the same region as the Vertex AI resource. Vertex AI uses the service-agent ([email protected]) to access the key, so that principal needs the Cloud KMS CryptoKey Encrypter/Decrypter role. If the key is disabled or destroyed, the dataset and any training jobs that rely on it become unreadable, providing the required crypto-shredding capability.
Default Google-managed encryption does not provide customer control over keys. Vertex AI does not inherit a bucket's CMEK settings-you must explicitly supply an encryptionSpec for the dataset itself. Asymmetric keys cannot be used with CMEK-integrated services, so creating an RSA key would prevent the dataset from being created.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Vertex AI and how does it work with datasets?
Open an interactive chat with Bash
What is a Cloud KMS symmetric key, and why is it used in this scenario?
Open an interactive chat with Bash
Why can't asymmetric keys or default Google-managed encryption be used here?
Open an interactive chat with Bash
What is a symmetric key in Cloud KMS?
Open an interactive chat with Bash
What is crypto-shredding and why is it useful?
Open an interactive chat with Bash
What is Vertex AI's encryptionSpec and how does it work?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .