GCP Professional Cloud Security Engineer Practice Question
A healthcare company builds a Vertex AI pipeline that trains a model on sensitive patient data stored in a CMEK-encrypted BigQuery dataset. Security policy requires:
All data in Vertex AI to remain protected by the customer-managed key.
Access to the pipeline and model artifacts must not traverse the public internet.
Only the data scientists' service account should be able to invoke prediction.
Which architecture meets all requirements with the least operational overhead?
Run training on Confidential VMs that write checkpoints to a CMEK Cloud Storage bucket, then upload the model to a Cloud Run service reachable only through an internal load balancer. Restrict access with IAM on Cloud Run.
Enable VPC Service Controls around the project, train with default encryption, and deploy the model to a public Vertex AI endpoint protected by OAuth token-based prediction requests from the service account.
Export the BigQuery data to CMEK-encrypted Cloud Storage, train locally on the data scientists' workstations, and serve the model from a Compute Engine instance that allows ingress only from trusted IP ranges.
Create a CMEK-enabled custom training job and deploy the resulting model to a CMEK-enabled Vertex AI endpoint behind Private Service Connect. Grant the Vertex AI Service Agent the key role and give only the data-scientist service account the Vertex AI Endpoint Invoker role.
Using CMEK-enabled Vertex AI custom training and online prediction keeps all intermediate artifacts-including container images, model checkpoints, and endpoint traffic-encrypted with the customer-managed key. Combining this with Private Service Connect confines control-plane and data-plane traffic to Google's backbone, satisfying the 'no public internet' mandate without having to create and manage a full service perimeter. IAM on the endpoint restricts invocation to the designated service account.
Authorized networks do not apply to managed PaaS services like Vertex AI; VPC-SC could meet the network requirement but is more complex to set up and maintain than PSC when only a single project is involved. Uploading the trained model to Cloud Storage and serving it from a Compute Engine instance would forfeit managed CMEK propagation and add VM patching overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is CMEK and why is it important in this setup?
Open an interactive chat with Bash
What is Private Service Connect (PSC) and how does it restrict public internet access?
Open an interactive chat with Bash
What role does IAM play in securing access to the Vertex AI endpoint?
Open an interactive chat with Bash
What is CMEK and why is it used in Vertex AI pipelines?
Open an interactive chat with Bash
How does Private Service Connect help in meeting the 'no public internet' policy requirement?
Open an interactive chat with Bash
Why is granting the Vertex AI Endpoint Invoker role only to the data scientists' service account important?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .