GCP Professional Cloud Security Engineer Practice Question
Your financial services company is building a payment-processing platform on Google Cloud. Corporate policy stipulates that all cardholder data must (1) remain only in United States regions or the US multi-region and (2) be technically prevented from being copied to projects or Cloud Storage buckets that are outside the designated cardholder data environment (CDE). You have placed every in-scope project under a dedicated "pci" folder. Which approach best meets both requirements with minimal ongoing operational effort?
Enable customer-managed encryption keys (CMEK) for all Cloud Storage buckets in the pci folder and add IAM Deny policies that block the storage.objects.copy permission when the destination project is not tagged as pci.
Configure all CDE VPC networks with Private Google Access and Cloud NAT only, and apply firewall rules that block egress to public IP ranges so data cannot leave the VPC.
Activate Access Transparency and Access Approval for the pci folder and export all Cloud Audit Logs to a centralized logging project to monitor for unauthorized copies of data.
Apply an organization policy in the pci folder that allows only US regions and the us multi-region with the constraints/gcp.resourceLocations constraint, then create a VPC Service Controls perimeter around the folder and add (or rely on the default) egress restrictions to block access to resources outside the perimeter.
Set the constraints/gcp.resourceLocations organization policy on the pci folder to allow only US regions and the US multi-region so that no resources can be created elsewhere. Then create a VPC Service Controls service perimeter that includes the same folder; the perimeter automatically blocks API attempts to copy data from in-scope services such as Cloud Storage to projects or buckets outside the CDE. This combination delivers preventive enforcement of both data-residency and data-exfiltration controls while requiring little day-to-day administration. The other options either rely on detective controls, do not enforce location restrictions, or cannot stop API-level data transfers.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an organization policy in Google Cloud?
Open an interactive chat with Bash
What is VPC Service Controls in Google Cloud?
Open an interactive chat with Bash
How does constraints/gcp.resourceLocations enforce data locality in Google Cloud?
Open an interactive chat with Bash
What is an organization policy in Google Cloud, and how does constraints/gcp.resourceLocations work?
Open an interactive chat with Bash
How does VPC Service Controls enforce security perimeters in Google Cloud?
Open an interactive chat with Bash
What is the difference between preventive controls versus detective controls in security enforcement?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .