FinBank, a Finnish financial institution, plans to archive 100 TB of customer statements on Google Cloud. Regulators require that the data must physically remain in Finland and that encryption keys stay under Finnish jurisdiction so that no foreign entity, including Google, can access them. The operations team evaluates four designs. Which approach best satisfies both the data residency and data sovereignty requirements while keeping day-to-day operational effort low?
Create a regional Cloud Storage bucket in europe-north1 and secure it with a Customer-Managed Encryption Key (CMEK) stored in Cloud KMS in the same region.
Keep the archive on an on-premises NFS server mounted to a Compute Engine VM in Finland and replicate snapshots to a multi-regional EU Cloud Storage bucket encrypted with Google-managed keys.
Store the files in a dual-region Cloud Storage bucket spanning europe-north1 and europe-west1, protected by Google-managed encryption keys.
Use a regional Cloud Storage bucket in europe-north1, encrypt it with keys held in a Finnish on-premises HSM through Cloud External Key Manager, and enable Assured Workloads for the EU environment.
Data residency is met when the data itself is stored in a specific geography, so a regional Cloud Storage bucket in europe-north1 (Finland) is necessary. Data sovereignty additionally demands that control of the encryption keys never leave Finnish jurisdiction; relying on Google-managed or even Google-hosted CMEK keys does not meet this constraint because Google can be compelled to provide access. Customer-supplied encryption keys (CSEK) avoid that risk but require operators to pass the key with every request, creating high operational overhead. By contrast, Cloud External Key Manager (EKM) keeps the keys in a customer-controlled HSM located in Finland and provides an online key-handling interface that avoids per-request manual key delivery. Combining a regional bucket in europe-north1 with EKM and Assured Workloads (which restricts Google personnel access to the EU, including Finland) satisfies both the physical-location and legal-control requirements with minimal ongoing effort. The other options either store data outside Finland, leave key custody with Google, or impose significant manual key-handling overhead, so they fail to meet one or both regulatory conditions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
How does Assured Workloads help with compliance requirements?
Open an interactive chat with Bash
What is the difference between Google-managed keys and Customer-Managed Encryption Keys (CMEK)?
Open an interactive chat with Bash
What is Assured Workloads in Google Cloud?
Open an interactive chat with Bash
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
Why is a regional Cloud Storage bucket better for data residency?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .