GCP Professional Cloud Security Engineer Practice Question
Your security team must automatically locate Social Security numbers and other personally identifiable information that may be stored in both BigQuery tables and Cloud Storage buckets scattered across multiple projects. They also need the option to create an anonymized copy of any table or file that contains matches so analysts can query the data without viewing raw identifiers. The solution should run on a continuous schedule and surface classification results to Google Cloud's metadata catalog with minimal ongoing maintenance. Which design best satisfies these requirements?
Export inventories from each project to Cloud Asset Inventory, then trigger a Cloud Data Fusion pipeline with regex detectors to flag PII and write tags back to Data Catalog.
Enable organization-level discovery in Sensitive Data Protection, select BigQuery and Cloud Storage as scan targets, and create a de-identification template that a recurring transformation job uses to write sanitized copies to a dedicated analytics dataset or bucket.
Configure Object Lifecycle Management to move objects older than 30 days to Nearline storage and apply BigQuery column-level policy tags to sensitive columns in the data warehouse.
Place all projects behind a VPC Service Controls perimeter, enable CMEK on BigQuery and Cloud Storage, and use Cloud Scheduler to launch a nightly gsutil and bq command script that searches for sensitive strings.
Sensitive Data Protection (formerly Cloud DLP) is the only native service that can both (1) run organization-level discovery scans that profile BigQuery and Cloud Storage data on a schedule and publish the findings to Data Catalog, and (2) apply de-identification templates in a transformation job that writes an anonymized copy of the original data to a separate dataset or bucket. The other options rely on custom pipelines, lifecycle rules, or network controls that do not automatically classify data across services or perform built-in de-identification, and they do not populate Data Catalog with profile results.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Sensitive Data Protection in GCP?
Open an interactive chat with Bash
How does de-identification work in Sensitive Data Protection?
Open an interactive chat with Bash
What does Google Cloud’s metadata catalog do?
Open an interactive chat with Bash
What is Sensitive Data Protection on Google Cloud?
Open an interactive chat with Bash
How does de-identification in Sensitive Data Protection work?
Open an interactive chat with Bash
What is Google Cloud's Data Catalog, and how does it work with Sensitive Data Protection?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .