GCP Professional Cloud Security Engineer Practice Question
Your fintech company is migrating a PCI DSS-regulated platform also subject to GDPR. Cardholder data must stay only in the Frankfurt region (europe-west3). Policy requires Google staff access to projects only with explicit, time-bound security-team approval and full audit logs. You must stop cross-project data exfiltration from the PCI environment without managing many firewall rules. Which Google Cloud design meets all requirements with minimal operational overhead?
Store all cardholder data in a Cloud Storage Multi-Region EU bucket protected with CMEK, turn on Access Transparency, and rely on custom VPC firewall egress rules to limit data flows.
Tokenize card data with Cloud DLP, keep workloads in europe-west3 using default project settings, and require support engineers to connect through Identity-Aware Proxy for troubleshooting access.
Host databases on Cloud SQL encrypted with customer-supplied keys stored in us-central1, disable external IPs on all VMs via organization policy, and depend on Cloud Audit Logs alone to monitor provider access.
Create an EU Assured Workloads environment, apply the gcp.resourceLocations organization policy to allow only europe-west3, enable Access Approval, and place all PCI projects inside a VPC Service Controls perimeter.
Creating an Assured Workloads environment with the EU (PCI DSS) compliance regime imposes EU-based personnel controls. Adding the gcp.resourceLocations organization policy restricts resource creation strictly to europe-west3, ensuring data residency in Frankfurt. Enabling Access Approval forces just-in-time, time-bounded permission before any Google staff action and pairs with Access Transparency for auditing. Wrapping the PCI projects in a VPC Service Controls perimeter blocks API-level data exfiltration to other projects without maintaining individual firewall rules. The remaining options each miss at least one mandatory control: multi-region storage does not confine data to Frankfurt, Identity-Aware Proxy addresses customer but not provider access, and storing keys in us-central1 violates the data-residency mandate.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Assured Workloads in Google Cloud?
Open an interactive chat with Bash
What does the gcp.resourceLocations organization policy do?
Open an interactive chat with Bash
How does VPC Service Controls prevent cross-project data exfiltration?
Open an interactive chat with Bash
What are Assured Workloads in Google Cloud?
Open an interactive chat with Bash
What is the role of VPC Service Controls in data security?
Open an interactive chat with Bash
What is Access Approval and how does it work?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .