GCP Professional Cloud Security Engineer Practice Question
An agency supporting U.S. federal customers must run a FedRAMP Moderate-authorized workload on Google Cloud. The application uses Compute Engine and Cloud SQL, and the security team requires: 1) resources restricted to U.S. locations, 2) enforcement that only Google personnel with U.S. citizenship may access the environment, 3) customer-managed encryption keys, and 4) an auditable, just-in-time approval flow whenever Google support needs to access data. Which Google Cloud design satisfies all requirements?
Use Cloud Armor to allow only U.S. IP addresses, store encryption keys in Cloud HSM, and enable Data Access audit logging for all services.
Apply a resourceLocations Organization Policy limiting creation to us-* regions, require customer-supplied encryption keys (CSEK), and depend solely on Cloud Audit Logs for provider access visibility.
Create an Assured Workloads FedRAMP environment for the projects, protect all data with CMEK keys in Cloud KMS, and enable both Access Approval and Access Transparency.
Place all resources in a VPC secured by VPC Service Controls, restrict service accounts with Organization Policy, and rely on default Google-managed encryption keys.
Assured Workloads configured for the FedRAMP compliance regime automatically restricts resource creation to approved U.S. regions and ensures any Google access is limited to personnel who are U.S. citizens on U.S. soil. Using CMEK on Cloud KMS gives the customer full control over the encryption keys protecting Compute Engine disks and Cloud SQL data. Enabling Access Approval forces Google support staff to obtain explicit, time-bound consent before accessing the environment, while Access Transparency records every such access for auditing. The other options each miss at least one requirement: VPC Service Controls and default encryption do not enforce personnel restrictions or just-in-time approvals; Cloud Armor geo-blocking and Data Access logs do not control provider access or guarantee regionalization; an Org Policy plus CSEK lacks FedRAMP personnel controls and mandatory approval logging.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is FedRAMP and why is it important in cloud security?
Open an interactive chat with Bash
What are CMEK keys in Google Cloud and how do they enhance security?
Open an interactive chat with Bash
How do Access Approval and Access Transparency work together in Google Cloud?
Open an interactive chat with Bash
What is Assured Workloads and how does it help with FedRAMP compliance?
Open an interactive chat with Bash
How does Customer-Managed Encryption Keys (CMEK) in Cloud KMS provide control over encryption?
Open an interactive chat with Bash
What is Access Approval and Access Transparency, and how do they enhance security?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .