GCP Professional Cloud Security Engineer Practice Question

A U.S. healthcare technology company will deploy a new micro-services platform that stores electronic protected health information (ePHI) from federal agencies. The security team must ensure that the environment satisfies FedRAMP High and HIPAA controls, keeps all data inside U.S. regions, restricts Google support access to screened U.S. persons, and automatically applies and monitors required organization policy constraints whenever new Google Cloud projects are created. Which solution will best meet these needs while minimizing ongoing administrative effort?

Create an Assured Workloads environment using the FedRAMP High compliance regime in a U.S. locale and provision all Google Kubernetes Engine projects inside the resulting workload folder.
Apply the FedRAMP organization-policy template to each project through infrastructure-as-code pipelines and store data in the multi-region us location.
Deploy the services on Cloud Run in projects labeled as HIPAA, rely on Cloud Support data avoidance, and manage location restrictions manually when resources are created.
Surround the projects with VPC Service Controls, enable Access Transparency and Access Approval, and add a gcp.resourceLocations organization policy limiting resources to U.S. regions.

Report Issue

Answer Description

Creating an Assured Workloads environment for the FedRAMP High regime automatically sets up a dedicated folder that:

Restricts resource creation to permitted U.S. regions, fulfilling data-residency and sovereignty requirements.
Applies a pre-defined bundle of organization policy constraints (for example, prohibiting external IPs and enforcing CMEK) and continuously monitors them for violations, eliminating the need to maintain custom policy code for each new project.
Enforces Google personnel controls so that only screened U.S. persons can access customer content or configurations, which is mandatory for FedRAMP High and helps meet HIPAA support requirements. The other options require manual policy management, do not address personnel restrictions, or rely on controls (such as VPC Service Controls or resource labels) that do not, by themselves, provide the comprehensive compliance coverage and automated enforcement that Assured Workloads delivers.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.