GCP Professional Cloud Security Engineer Practice Question
Your organization is subject to an EU-only data-residency mandate. You are building a new Google Cloud hierarchy that will contain many projects running Compute Engine VMs, Dataflow jobs, Cloud Storage buckets, and BigQuery datasets. Compliance asks for one centrally managed control, applied as high in the hierarchy as possible, that technically blocks creation of any future resource outside EU regions while still allowing teams to pick any individual EU region or the "eu" multi-region. Which solution satisfies these requirements?
Mandate an "EU_ONLY" label on every project and schedule a Cloud Function to delete resources it finds in non-EU regions.
Apply the Organization Policy constraint "constraints/gcp.resourceLocations" at the organization root and allow only europe-* zones and the "eu" multi-region.
Create a single VPC Service Controls perimeter for all projects and restrict ingress and egress to European IP ranges.
Enable Assured Workloads with the EU compliance regime in every project to automatically limit resource locations to the EU.
The constraints/gcp.resourceLocations Organization Policy lets administrators define an allow-list of regions, zones, and multi-regions in which new Google Cloud resources may be created. When the policy is enforced at the organization (or folder) level and limited to the europe-* zones plus the "eu" multi-region, any attempt to create a Compute Engine VM, Cloud Storage bucket, BigQuery dataset, Dataflow job, or other supported resource in a non-EU location will fail. The policy is evaluated automatically by Google Cloud Resource Manager, so it prevents non-compliant configurations before they are provisioned.
By contrast, a VPC Service Controls service perimeter restricts data exfiltration at the API layer; it does not stop users from creating resources in disallowed locations. Assured Workloads can enforce EU residency only for services that participate in an Assured Workloads environment and on a per-project basis, so projects created outside that environment would remain unrestricted. Relying on tags and a Cloud Function is reactive, requires custom code, and allows non-EU resources to exist between scans, violating the preventative requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Organization Policy in Google Cloud?
Open an interactive chat with Bash
What does the 'constraints/gcp.resourceLocations' policy do?
Open an interactive chat with Bash
Why is a VPC Service Controls perimeter insufficient for restricting resource locations?
Open an interactive chat with Bash
What is the 'constraints/gcp.resourceLocations' Organization Policy?
Open an interactive chat with Bash
How does a VPC Service Controls perimeter differ from the Organization Policy constraint?
Open an interactive chat with Bash
What are the limitations of Assured Workloads for EU compliance compared to the Organization Policy?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .