GCP Professional Cloud Security Engineer Practice Question
Your company is building a new fraud-detection model on Vertex AI. Training data in a Cloud Storage bucket is already encrypted with a customer-managed key (CMEK). Compliance policy states that: all traffic between your VPC and Vertex AI services must stay on Google's private network; only the ML engineering service account may launch training jobs; and any accidental data egress from Vertex AI to services outside the environment must be blocked. Which solution best meets these requirements?
Disable external IP addresses on training VMs and add egress-deny firewall rules, but continue using Google-managed encryption keys and do not configure VPC Service Controls.
Distribute signed URLs for the training data bucket, expose Vertex AI publicly, and connect the project to the on-premises network using VPC Network Peering instead of Private Service Connect.
Create Private Service Connect endpoints for Vertex AI, add the project and the CMEK-protected bucket to the same VPC Service Controls perimeter, and grant the ML engineering service account only the Vertex AI User IAM role needed to run training jobs.
Access Vertex AI over its public endpoint through Cloud NAT, enable Cloud Audit Logs, and give the ML engineer the Storage Object Viewer role at the organization level.
Private Service Connect (PSC) lets you invoke Vertex AI APIs through a private RFC 1918 address so traffic does not traverse the public internet. Placing the Vertex AI project and the Cloud Storage bucket in the same VPC Service Controls perimeter prevents data exfiltration to services outside the perimeter. Granting the service account only the roles/aiplatform.user role follows the principle of least privilege, allowing it to submit training jobs while denying others. The other options either rely on public endpoints, omit a service perimeter, or grant overly broad or organization-wide permissions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Private Service Connect (PSC) and how does it ensure secure communication?
Open an interactive chat with Bash
What are VPC Service Controls and how do they prevent data exfiltration?
Open an interactive chat with Bash
What is the principle of least privilege and how does it apply to the service account in this solution?
Open an interactive chat with Bash
What is Private Service Connect?
Open an interactive chat with Bash
What are VPC Service Controls?
Open an interactive chat with Bash
What is the principle of least privilege in IAM roles?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .