GCP Professional Cloud Security Engineer Practice Question
A healthcare company runs a genomics-analysis pipeline on a managed instance group (MIG) of Compute Engine VMs (Debian 11, n1-standard-8). A regulator now requires that all protected health information (PHI) be encrypted not only at rest and in transit but also while it is processed in memory. The engineering team wants to meet this requirement without modifying the application code, does not want to run its own key-management software, and can tolerate up to 10 % additional CPU overhead. Audit logs for administrative actions must remain available. What should the team do?
Integrate an application library such as Google Tink to encrypt and decrypt all PHI in memory before and after every CPU operation.
Move the MIG's disks to CMEK-encrypted persistent disks and mount them on the existing n1-standard-8 instances.
Create a new instance template that enables Confidential compute, switch to a machine type that supports Confidential VMs (for example, n2d-standard-8), and recreate the MIG with that template.
Migrate the workload to Google Kubernetes Engine and enable Shielded GKE Nodes with Workload Identity.
Confidential VMs on Google Cloud use processor-supported memory encryption (AMD SEV or Intel TDX) to protect data while it is in use. Enabling the Confidential compute option in an instance template automatically instantiates VMs on compatible machine types (for example, N2D or C2D) and requires no application changes; Google and the CPU manage the ephemeral keys, so the team does not have to operate a key-management system. Performance overhead is typically under 10 %, and Cloud Audit Logs continue to record administrative operations as with any other Compute Engine VM. The other options fail to meet one or more constraints: application-level encryption demands code changes, CMEK only protects data at rest, and Shielded GKE Nodes provide boot-time integrity but not memory-encryption.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Confidential Computing in Google Cloud?
Open an interactive chat with Bash
What is the difference between Confidential VMs and Shielded VMs?
Open an interactive chat with Bash
How does AMD SEV or Intel TDX work to protect data in memory?
Open an interactive chat with Bash
What are Confidential VMs?
Open an interactive chat with Bash
What differentiates Confidential VMs from Shielded VMs?
Open an interactive chat with Bash
What role does AMD SEV or Intel TDX play in Confidential computing?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .