GCP Professional Cloud Security Engineer Practice Question
Your company hosts a proprietary fraud-detection model in Vertex AI, and the model artifacts reside in its managed Cloud Storage bucket. Security architects need a control that blocks any API or console attempt-even by users with Vertex AI Model Admin privileges-to copy these artifacts to resources in projects that are outside a defined set, while still allowing normal operations inside that set. Which Google Cloud capability best enforces this data-egress restriction?
Require all callers to authenticate through Workload Identity Federation instead of long-lived service account keys.
Encrypt the model artifacts with a customer-managed encryption key (CMEK) on the Cloud Storage bucket.
Place Vertex AI and the Cloud Storage bucket inside the same VPC Service Controls perimeter to block egress to resources outside that perimeter.
Attach a Cloud Armor security policy to the Vertex AI endpoint to deny requests that download model artifacts.
VPC Service Controls lets you create a service perimeter around projects that use Vertex AI and Cloud Storage. Calls from within the perimeter to read or write data in projects or buckets outside the perimeter are denied by default, preventing insiders from exporting model artifacts while allowing normal access inside the boundary. Customer-managed encryption keys secure data at rest but do not stop authorized users from copying ciphertext. Workload Identity Federation governs how principals obtain credentials rather than what they can do once authenticated. Cloud Armor protects HTTP(S) traffic to endpoints but has no control over backend service APIs or Cloud Storage operations.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Service Controls?
Open an interactive chat with Bash
How does VPC Service Controls block data egress?
Open an interactive chat with Bash
Why is Cloud Armor not suitable for restricting backend data egress?
Open an interactive chat with Bash
What is VPC Service Controls?
Open an interactive chat with Bash
How does VPC Service Controls compare to customer-managed encryption keys (CMEK)?
Open an interactive chat with Bash
Why is Cloud Armor not suitable for securing backend services like Vertex AI and Cloud Storage?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .