GCP Professional Cloud Security Engineer Practice Question
FinServe Inc. stores card-holder data in BigQuery and trains a fraud-detection model with Vertex AI. The security team must (1) stop engineers or code running in Vertex AI from copying training data to resources outside the company's network, and (2) minimize the chance that online prediction requests could be used to reconstruct individual card numbers. Which two controls, used together, best satisfy both requirements?
Require engineers to access BigQuery only through the Cloud SQL Auth proxy and encrypt the training data with customer-managed encryption keys (CMEK) in Cloud KMS.
Create a VPC Service Controls perimeter that includes all BigQuery datasets and Vertex AI resources, and de-identify the card data with Cloud Sensitive Data Protection using format-preserving tokenization before training.
Disable external IP addresses on Vertex AI Workbench notebooks and apply BigQuery row-level access policies to restrict engineers to specific rows.
Encrypt the Vertex AI model artifacts with customer-supplied encryption keys (CSEK) and rotate the keys every 90 days.
Placing all BigQuery and Vertex AI resources inside the same VPC Service Controls service perimeter prevents both users and workloads from moving data to services or projects outside the perimeter, closing off common exfiltration paths. De-identifying the PCI data with Cloud Sensitive Data Protection (DLP) using format-preserving encryption or tokenization removes the real card numbers from the training set, so even successful model-inversion or membership-inference attacks cannot disclose them. Using CMEK or disabling external IPs are good hardening steps, but they do not themselves block data exfiltration or remove sensitive values from the model. Row-level security and notebook hardening help with least-privilege access, yet they do not mitigate inference attacks that exploit trained models to recover original data. Therefore, combining a VPC Service Controls perimeter with DLP-based tokenization is the most effective way to meet both security objectives.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are VPC Service Controls?
Open an interactive chat with Bash
What is format-preserving tokenization in Cloud Sensitive Data Protection?
Open an interactive chat with Bash
How do model-inversion and membership-inference attacks target machine learning models?
Open an interactive chat with Bash
What is a VPC Service Controls perimeter?
Open an interactive chat with Bash
What is format-preserving tokenization in Cloud Sensitive Data Protection?
Open an interactive chat with Bash
What are model-inversion and membership-inference attacks in AI models?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .