GCP Professional Cloud Security Engineer Practice Question
Your company is creating a new folder called "Banking" under the organization root to host services that will store and process personal data of EU residents. GDPR and internal policy require that all customer data, system metadata, and any access by Google personnel stay strictly within EU regions. Security leadership wants a single preventive control that automatically applies to every new project in the folder while still giving developers freedom to choose any EU region. Which solution best satisfies the requirement with the least ongoing operational effort?
Place all Banking projects inside a VPC Service Controls perimeter that blocks egress to IP ranges located outside the EU.
Apply the organization-policy constraint constraints/gcp.resourceLocations to the Banking folder, allowing only specific EU regions, and enable Access Transparency for auditing.
Mandate that every project stores data using CMEK keys in an EU key ring and locates Cloud Storage buckets in the EU multi-region, verified periodically with Security Command Center.
Create an Assured Workloads environment in the Banking folder using the "EU Regions and Support" compliance regime, and deploy all projects inside that environment.
Assured Workloads lets you create a controlled environment that enforces data-residency and Google-personnel access location requirements for an entire set of projects. Selecting the "EU Regions and Support" compliance regime automatically constrains resource locations to EU regions, keeps Google-generated service data (such as logs) in the EU, and restricts Google support staff to work only from EU locations. Because the environment is attached to the Banking folder, any project created inside inherits the controls without additional configuration.
The organization-policy constraint constraints/gcp.resourceLocations (distractor) can restrict where resources are created but does not govern where Google Cloud service data or support actions take place, so it cannot by itself guarantee full residency. VPC Service Controls only protect against data exfiltration over Google APIs and do not address Google-side storage or support access. Requiring CMEK and manual SCC scans are procedural controls that place ongoing burden on project owners and still do not constrain Google-side metadata or personnel location.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Assured Workloads in GCP?
Open an interactive chat with Bash
How does the EU Regions and Support compliance regime ensure data residency?
Open an interactive chat with Bash
How does Assured Workloads compare to organization-policy constraints?
Open an interactive chat with Bash
What is Assured Workloads in GCP?
Open an interactive chat with Bash
How does `constraints/gcp.resourceLocations` work and why is it not sufficient here?
Open an interactive chat with Bash
What are the limitations of VPC Service Controls for ensuring full compliance?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .