GCP Professional Cloud Security Engineer Practice Question
Your company stores payment transactions in a BigQuery table that contains customers credit-card numbers. Security requires that: (1) every card number is automatically replaced with a format-preserving token before anyone queries it; (2) analysts may read all other columns but must never see raw card data; (3) a marketing vendor working in a separate Google Cloud project must receive only daily sales aggregates and never gain access to underlying tables. Which approach meets all requirements with the least ongoing operational effort?
Apply column-level security to mask the credit-card column and let analysts and the vendor query the same dataset directly.
Export the table nightly to Cloud Storage, use a Dataflow pipeline to redact credit cards, reload the result into a new table, and share that table with analysts and the vendor.
Encrypt the table with a customer-managed key and use row-level security to remove the credit-card column, then deliver aggregated CSV exports to the vendor through signed URLs.
Run a Sensitive Data Protection inspection-transformation job that writes a tokenized copy of the table to an analytics dataset; grant analysts BigQuery Data Viewer on that dataset; create an authorized view with aggregate queries and share only the view with the vendor's project.
Running a Sensitive Data Protection (Cloud DLP) inspection-transformation job creates a de-identified copy of the table in which the credit-card column is tokenized with format-preserving encryption, satisfying the first requirement without custom code. Granting analysts the BigQuery Data Viewer role on that de-identified dataset lets them query all columns while seeing only tokens, addressing the second requirement. An authorized view that returns aggregate SELECT statements can be shared with the vendor's project, giving them the needed statistics while preventing any access to base tables, thus fulfilling the third requirement. The other approaches either fail to create format-preserving tokens, expose more data than intended, or introduce custom pipelines that raise operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Format-Preserving Encryption (FPE)?
Open an interactive chat with Bash
How does Google Cloud DLP support de-identification?
Open an interactive chat with Bash
What is an authorized view in BigQuery?
Open an interactive chat with Bash
What is Sensitive Data Protection in Google Cloud?
Open an interactive chat with Bash
What is a BigQuery authorized view and how does it ensure data security?
Open an interactive chat with Bash
How does format-preserving encryption differ from regular encryption?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .