GCP Professional Cloud Security Engineer Practice Question
An EU-based healthcare provider is migrating a 100 TB PACS image archive to Google Cloud. GDPR and a national regulation require that
all patient data remain within the EU at rest and during processing, and
the encryption keys protecting that data must also stay in the same EU jurisdiction and be fully controlled by the customer. The analytics team occasionally launches GPU-accelerated jobs against the archive but wants to minimise operational overhead. Which Google Cloud configuration best satisfies these compliance constraints?
Create a Cloud Storage regional bucket in "europe-west3" (Frankfurt) protected by a customer-managed Cloud KMS key in the same region, and run GPU-enabled Compute Engine instances in "europe-west3" when analytics is required.
Provision a Filestore instance in "us-central1" encrypted with a CMEK key stored in "europe-west3", and launch GPU jobs in "europe-west1".
Create a dual-region Cloud Storage bucket "us-east4-northamerica-northeast1" protected by an external key manager located in Frankfurt, and process data on GPUs in "europe-west3".
Create a Cloud Storage multi-region bucket in "EU" using Google-managed encryption keys, and run GPU workloads on Compute Engine instances in "europe-west1" (Belgium).
Using Cloud Storage in the "europe-west3" (Frankfurt) region guarantees that stored objects never leave the EU, whereas a multi-region such as "EU" still meets data-residency needs but would scatter replicas across several EU countries and provide no single-region locality for tightly coupled GPU workloads. Enabling CMEK with a Cloud KMS key ring that is also in "europe-west3" keeps the cryptographic keys inside the same jurisdiction and under the customer's control. Compute Engine VMs with attached NVIDIA GPUs launched in the same region ensure that temporary processing stays inside the EU and avoids cross-region egress. Filestore in the US or any configuration in a non-EU region would violate data-sovereignty rules, and relying on Google-managed encryption keys does not allow the customer to guarantee where keys are stored or who can access them.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CMEK in Google Cloud?
Open an interactive chat with Bash
Why is a regional bucket better for compliance in this scenario compared to a multi-region bucket?
Open an interactive chat with Bash
How do NVIDIA GPUs on Google Cloud benefit healthcare analytics workloads?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .