GCP Professional Cloud Security Engineer Practice Question
A retail enterprise is migrating its ML training workloads from self-managed GPU clusters to Vertex AI custom training. Compliance rules state that:
Training data and model artifacts must be encrypted with customer-managed keys.
No control plane or data plane traffic may traverse the public internet.
The ML team must not be responsible for operating-system patching. Which design best satisfies these requirements while taking advantage of the PaaS nature of Vertex AI?
Run training jobs on Confidential VMs in Compute Engine, manage guest OS patching manually, and use CMEK for the VM persistent disks only.
Store training data in a Cloud Storage bucket with uniform bucket-level access, rely on Google default encryption, and route Vertex AI traffic through Cloud NAT to the public endpoints.
Create a VPC Service Controls perimeter that includes Vertex AI and Cloud Storage, enable CMEK encryption on all Vertex AI resources, and access the Vertex AI and Cloud Storage APIs through Private Service Connect endpoints.
Establish a VPN from on-premises to Google Cloud and restrict Vertex AI API access by source IP firewall rules while keeping Google default encryption at rest and in transit.
Vertex AI supports Customer-Managed Encryption Keys (CMEK) for datasets, model artifacts, and notebook storage. Placing Vertex AI and Cloud Storage in the same VPC Service Controls perimeter prevents accidental data egress, and Private Service Connect exposes Google APIs over an internal, RFC 1918 address so that neither control-plane nor data-plane traffic leaves the private network. Google manages the underlying OS for Vertex AI training workers, so the ML team does not handle patching. The other options either allow public egress, rely only on Google-managed encryption, or move the workload back to IaaS-level responsibilities that violate the patch-management constraint.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Service Controls in Google Cloud?
Open an interactive chat with Bash
What is Private Service Connect in Google Cloud?
Open an interactive chat with Bash
What are Customer-Managed Encryption Keys (CMEK)?
Open an interactive chat with Bash
What are VPC Service Controls in Google Cloud?
Open an interactive chat with Bash
What is Private Service Connect and how does it ensure security?
Open an interactive chat with Bash
How does CMEK work in Google Cloud and why is it important for compliance?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .