GCP Professional Cloud Security Engineer Practice Question

An agency supporting U.S. federal customers must run a FedRAMP Moderate-authorized workload on Google Cloud. The application uses Compute Engine and Cloud SQL, and the security team requires: 1) resources restricted to U.S. locations, 2) enforcement that only Google personnel with U.S. citizenship may access the environment, 3) customer-managed encryption keys, and 4) an auditable, just-in-time approval flow whenever Google support needs to access data. Which Google Cloud design satisfies all requirements?

Apply a resourceLocations Organization Policy limiting creation to us-* regions, require customer-supplied encryption keys (CSEK), and depend solely on Cloud Audit Logs for provider access visibility.
Place all resources in a VPC secured by VPC Service Controls, restrict service accounts with Organization Policy, and rely on default Google-managed encryption keys.
Create an Assured Workloads FedRAMP environment for the projects, protect all data with CMEK keys in Cloud KMS, and enable both Access Approval and Access Transparency.
Use Cloud Armor to allow only U.S. IP addresses, store encryption keys in Cloud HSM, and enable Data Access audit logging for all services.

Report Issue

Answer Description

Assured Workloads configured for the FedRAMP compliance regime automatically restricts resource creation to approved U.S. regions and ensures any Google access is limited to personnel who are U.S. citizens on U.S. soil. Using CMEK on Cloud KMS gives the customer full control over the encryption keys protecting Compute Engine disks and Cloud SQL data. Enabling Access Approval forces Google support staff to obtain explicit, time-bound consent before accessing the environment, while Access Transparency records every such access for auditing. The other options each miss at least one requirement: VPC Service Controls and default encryption do not enforce personnel restrictions or just-in-time approvals; Cloud Armor geo-blocking and Data Access logs do not control provider access or guarantee regionalization; an Org Policy plus CSEK lacks FedRAMP personnel controls and mandatory approval logging.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.