GCP Professional Cloud Security Engineer Practice Question
A fintech company runs several non-PCI workloads in a Google Cloud project. You must deploy a new GKE-based payment-processing microservice that will form the PCI-DSS Cardholder Data Environment (CDE). Requirements:
Isolate all CDE resources from existing workloads.
Allow the microservice to call an internal Cloud Run API only-no other projects or internet egress.
Minimize ongoing operational effort. Which design best satisfies these constraints?
Keep the microservice in the existing project, place it in a separate GKE namespace, apply Kubernetes NetworkPolicies to allow only egress to the Cloud Run API, and protect the service with Cloud Armor.
In the existing project, create a standalone VPC for the microservice, disable VPC peering, and rely solely on custom firewall rules to prevent traffic to other networks.
Enable Private Service Connect so the GKE cluster can privately invoke the Cloud Run API, use IAM conditions to limit access, and deploy all components in the same project and VPC.
Create a new project under a PCI-specific folder, attach it as a service project to a dedicated Shared VPC host for PCI workloads, allow only required traffic to the Cloud Run service via firewall rules, and place both projects in a VPC Service Controls perimeter to mitigate cross-project and internet egress.
The optimal design starts by creating a separate project for the payment-processing workload inside a folder that enforces PCI-specific Organization Policies, giving it an independent administrative and billing boundary. Connecting this service project to a dedicated PCI Shared VPC host lets a central networking team manage routes and firewall rules while the CDE retains its own isolated subnets. Egress and inter-subnet firewall rules are configured to allow traffic solely to the internal Cloud Run service and to deny all other outbound paths, including the internet. Finally, the GKE service project and the Cloud Run project are placed in the same VPC Service Controls perimeter, which helps prevent data exfiltration through Google-managed services to resources outside the perimeter. Alternative approaches either keep PCI and non-PCI workloads in the same project, omit a service perimeter, or rely only on NetworkPolicies, Private Service Connect, or basic firewall rules-measures that do not fully address PCI-DSS segmentation and exfiltration requirements with low operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Shared VPC and how does it benefit PCI workloads?
Open an interactive chat with Bash
What is the role of VPC Service Controls in securing PCI environments?
Open an interactive chat with Bash
Why is it necessary to use a dedicated project for PCI workloads?
Open an interactive chat with Bash
What is a Shared VPC in Google Cloud and how is it beneficial?
Open an interactive chat with Bash
What is VPC Service Controls and why is it important for PCI-DSS compliance?
Open an interactive chat with Bash
How do firewall rules enhance security in a PCI-DSS-compliant environment?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .