GCP Professional Cloud Security Engineer Practice Question

Your company is creating a new folder called "Banking" under the organization root to host services that will store and process personal data of EU residents. GDPR and internal policy require that all customer data, system metadata, and any access by Google personnel stay strictly within EU regions. Security leadership wants a single preventive control that automatically applies to every new project in the folder while still giving developers freedom to choose any EU region. Which solution best satisfies the requirement with the least ongoing operational effort?

Mandate that every project stores data using CMEK keys in an EU key ring and locates Cloud Storage buckets in the EU multi-region, verified periodically with Security Command Center.
Create an Assured Workloads environment in the Banking folder using the "EU Regions and Support" compliance regime, and deploy all projects inside that environment.
Place all Banking projects inside a VPC Service Controls perimeter that blocks egress to IP ranges located outside the EU.
Apply the organization-policy constraint constraints/gcp.resourceLocations to the Banking folder, allowing only specific EU regions, and enable Access Transparency for auditing.

Report Issue

Answer Description

Assured Workloads lets you create a controlled environment that enforces data-residency and Google-personnel access location requirements for an entire set of projects. Selecting the "EU Regions and Support" compliance regime automatically constrains resource locations to EU regions, keeps Google-generated service data (such as logs) in the EU, and restricts Google support staff to work only from EU locations. Because the environment is attached to the Banking folder, any project created inside inherits the controls without additional configuration.

The organization-policy constraint constraints/gcp.resourceLocations (distractor) can restrict where resources are created but does not govern where Google Cloud service data or support actions take place, so it cannot by itself guarantee full residency. VPC Service Controls only protect against data exfiltration over Google APIs and do not address Google-side storage or support access. Requiring CMEK and manual SCC scans are procedural controls that place ongoing burden on project owners and still do not constrain Google-side metadata or personnel location.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.