GCP Professional Cloud Security Engineer Practice Question
Your healthcare company plans to run interactive model training in Vertex AI Workbench using a PHI-containing BigQuery dataset. Compliance mandates that (1) the data and model endpoints must not be accessible from the public internet, (2) any accidental egress to external Google Cloud projects or the public internet must be blocked, and (3) encryption keys must remain under your control for potential crypto-shredding. Which approach best satisfies all three requirements?
Configure Organization-wide Public Access Prevention on Cloud Storage, use Vertex AI datasets with CMEK, and allow Workbench instances to reach Vertex AI over the public internet via Cloud NAT.
Export the dataset to on-premises servers using Transfer Appliance, train the model locally, and upload the final model to Vertex AI with default encryption.
Place the dataset and all Vertex AI resources inside a VPC Service Controls perimeter, create Workbench instances without external IP addresses that access Vertex AI via Private Service Connect, and protect storage and model artifacts with customer-managed encryption keys.
Enable Cloud Armor IP allow lists on Vertex AI endpoints, keep Workbench in the default VPC with external IP disabled, and rely on Google-managed default encryption.
Placing all AI resources and the BigQuery dataset inside a VPC Service Controls perimeter prevents data from being copied to services outside the perimeter, closing off accidental or malicious exfiltration paths. Launching Vertex AI Workbench instances without external IP addresses and using Private Service Connect to reach the Vertex AI and BigQuery APIs keeps network traffic on Google's private backbone and removes public endpoints. Finally, enabling customer-managed encryption keys (CMEK) for BigQuery, Vertex AI datasets, and model artifacts ensures that your organization controls key lifecycle operations, including destruction for crypto-shredding. The other options each miss at least one requirement: relying solely on Cloud Armor does not stop data egress; Public Access Prevention plus Cloud NAT still allows outbound internet paths; moving data on-prem defeats interactive cloud training and still leaves the final model encrypted with Google-managed keys.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VPC Service Controls perimeter?
Open an interactive chat with Bash
How does Private Service Connect work in keeping endpoints private?
Open an interactive chat with Bash
What are Customer-Managed Encryption Keys (CMEK), and why are they important in this scenario?
Open an interactive chat with Bash
What is a VPC Service Controls perimeter and how does it protect data?
Open an interactive chat with Bash
What is Private Service Connect and how does it secure API access?
Open an interactive chat with Bash
What are customer-managed encryption keys (CMEK) and why are they important?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .