GCP Professional Cloud Security Engineer Practice Question

A pan-European fintech is migrating its card-processing platform to Google Cloud. The legal team mandates the following:

All customer data and metadata must remain within the European Economic Area to comply with GDPR data-sovereignty clauses.
Persistent disks and Cloud Storage objects must be encrypted with keys that the company fully controls.
Google support personnel may access the environment only after explicit, just-in-time approval and all such access must be auditable.

The organization root node for Google Cloud is already in place. Which approach best satisfies all requirements while keeping ongoing operational effort low?

Use Cloud External Key Manager (EKM) with an HSM located in Paris to hold encryption keys, configure a service perimeter with Private Google Access only, and rely solely on Access Transparency for auditing provider access.
Create an Assured Workloads environment using the "EU Regions and Support" regime, place all projects for the platform inside its folder, enforce CMEK by setting the constraints/compute.requireCmekForBootDisk and constraints/storage.uniformBucketLevelAccess Organization Policies, and enable both Access Approval and Access Transparency on those projects.
Apply the constraints/gcp.resourceLocations Organization Policy to allow only europe-west1 and europe-west4, create Cloud KMS keys in europe-west1 for CMEK, enable Access Approval and Access Transparency, and use VPC Service Controls to build a perimeter around the projects.
Deploy all resources manually in europe-west1 and europe-north1 regions, rely on Google-managed encryption keys, configure VPC Firewalls to block egress to non-EU IP ranges, and export Cloud Audit Logs to BigQuery for retention.

Report Issue

Answer Description

Assured Workloads automates enforcement of data-residency controls by restricting resource creation to EU regions and limiting Google personnel to EU-based support, satisfying the GDPR data-sovereignty requirement with minimal manual governance. Adding the compute and storage CMEK Organization Policies ensures that both persistent disks and Cloud Storage buckets are encrypted with customer-managed keys, meeting the encryption mandate. Finally, enabling Access Approval forces just-in-time customer consent before any Google engineer can access the environment, while Access Transparency provides immutable audit logs of such access. The other options leave gaps: applying only gcp.resourceLocations (second option) still relies on manual EU-only support assignments and adds VPC Service Controls overhead; the third option lacks CMEK and formal provider-access controls; the fourth option omits just-in-time approval and does not guarantee EU-only data residency.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.