GCP Professional Cloud Security Engineer Practice Question

Your financial-services security team is creating a controls matrix for auditors before moving a payment-processing workload to Compute Engine. The document must list activities that remain solely the customer's responsibility under Google Cloud's shared responsibility model for IaaS services. Which activity will your organization, and not Google, be accountable for implementing and maintaining?

Monitoring and replacing failed physical storage devices in the data centers where your persistent disks reside.
Patching the hypervisor layer that hosts your virtual machines to address newly disclosed vulnerabilities.
Encrypting data stored on persistent disks at the storage layer using Google-supplied AES-256 encryption.
Regularly applying security patches to the guest operating system and configuring host-based firewalls on each Compute Engine VM.

Report Issue

Answer Description

With Infrastructure-as-a-Service offerings such as Compute Engine, Google secures the underlying physical infrastructure, storage devices, and virtualization stack, including hypervisor patching and disk replacement. Google also automatically encrypts data at rest on persistent disks with platform-managed keys, so the baseline encryption service is provided by Google. By contrast, everything inside the virtual machine-including the guest operating system configuration, operating system patch level, and host-based firewalls-remains entirely the customer's responsibility. Therefore, applying critical patches to the guest OS and configuring instance-level firewalls is an activity the customer must perform, whereas Google remains responsible for hypervisor patching, disk encryption at the physical layer, and physical data-center operations.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.