GCP Professional Cloud Security Engineer Practice Question

A fintech company runs several non-PCI workloads in a Google Cloud project. You must deploy a new GKE-based payment-processing microservice that will form the PCI-DSS Cardholder Data Environment (CDE). Requirements:

Isolate all CDE resources from existing workloads.
Allow the microservice to call an internal Cloud Run API only-no other projects or internet egress.
Minimize ongoing operational effort. Which design best satisfies these constraints?

Keep the microservice in the existing project, place it in a separate GKE namespace, apply Kubernetes NetworkPolicies to allow only egress to the Cloud Run API, and protect the service with Cloud Armor.
In the existing project, create a standalone VPC for the microservice, disable VPC peering, and rely solely on custom firewall rules to prevent traffic to other networks.
Create a new project under a PCI-specific folder, attach it as a service project to a dedicated Shared VPC host for PCI workloads, allow only required traffic to the Cloud Run service via firewall rules, and place both projects in a VPC Service Controls perimeter to mitigate cross-project and internet egress.
Enable Private Service Connect so the GKE cluster can privately invoke the Cloud Run API, use IAM conditions to limit access, and deploy all components in the same project and VPC.

Report Issue

Answer Description

The optimal design starts by creating a separate project for the payment-processing workload inside a folder that enforces PCI-specific Organization Policies, giving it an independent administrative and billing boundary. Connecting this service project to a dedicated PCI Shared VPC host lets a central networking team manage routes and firewall rules while the CDE retains its own isolated subnets. Egress and inter-subnet firewall rules are configured to allow traffic solely to the internal Cloud Run service and to deny all other outbound paths, including the internet. Finally, the GKE service project and the Cloud Run project are placed in the same VPC Service Controls perimeter, which helps prevent data exfiltration through Google-managed services to resources outside the perimeter. Alternative approaches either keep PCI and non-PCI workloads in the same project, omit a service perimeter, or rely only on NetworkPolicies, Private Service Connect, or basic firewall rules-measures that do not fully address PCI-DSS segmentation and exfiltration requirements with low operational overhead.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.