GCP Professional Cloud Security Engineer Practice Question
A German financial-services firm is migrating an on-premises archive that contains sensitive customer personal data to Google Cloud. To satisfy its regulator's guidance and its own risk policy, the firm mandates that the data must remain physically located in Germany so that it is subject only to German jurisdiction. The archive must provide at least 11 nines (99.999999999 %) of annual durability and can tolerate a recovery-point objective of up to 24 hours. Which Google Cloud design will meet all of the firm's data-residency and durability requirements?
Create a Cloud Storage Standard bucket in the europe-west3 (Frankfurt) region, enforce a gcp.resourceLocations policy that permits only europe-west3, and (optionally) store CMEK-protected keys in a Cloud KMS keyring in europe-west3.
Create a Cloud Storage Standard bucket in the Europe multi-region, enforce a gcp.resourceLocations organization policy that allows only europe-west3, and store CMEK keys in europe-west3.
Create a Cloud Storage Standard bucket in dual-region asia-southeast1 and europe-west4, protect it with customer-managed encryption keys (CMEK) stored in europe-west3, and rely on the keys' location to enforce sovereignty.
Create a Cloud Storage Standard bucket in the europe-central2 (Warsaw) region with Turbo Replication and protect access using VPC Service Controls around the project.
Creating a single-region Cloud Storage bucket in europe-west3 (Frankfurt) keeps every replica of the objects within multiple availability zones located in Germany, fulfilling the in-country data-residency mandate. Regional buckets in Cloud Storage provide 99.999999999 % annual durability by automatically storing data redundantly across zones in the selected region, satisfying the archive's durability target and 24-hour RPO. Enforcing the constraints/gcp.resourceLocations organization policy to allow only europe-west3 prevents accidental deployment of resources outside Germany. Protecting the data with Cloud KMS keys that also reside in europe-west3 aligns cryptographic material with the same jurisdiction but is optional for residency. Options that use dual-regions, the Europe multi-region, or the europe-central2 region replicate data outside Germany or place it there directly, violating the firm's sovereignty requirement; VPC Service Controls and CMEK alone cannot guarantee physical data location.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a single-region bucket in Google Cloud Storage?
Open an interactive chat with Bash
What is the `gcp.resourceLocations` organization policy?
Open an interactive chat with Bash
How does Cloud KMS with CMEK improve data security?
Open an interactive chat with Bash
What does '11 nines durability' mean?
Open an interactive chat with Bash
What is a `gcp.resourceLocations` organization policy?
Open an interactive chat with Bash
How does using CMEK improve data security?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .