Your company, a Berlin-based healthcare analytics provider, is moving its on-premises data warehouse to Google Cloud. To satisfy GDPR and national healthcare regulations you must ensure that (1) all patient data and its backups stay in EU locations, (2) only EU-based Google personnel can access underlying infrastructure, and (3) auditors can confirm that encryption keys protecting BigQuery tables are under your organization's control. Operational effort should be kept as low as possible. Which approach best meets these requirements?
Create an Assured Workloads environment with the EU Regions and Support compliance regime, store all BigQuery datasets in the EU multi-region, enforce the gcp.resourceLocations organization policy, protect the datasets with CMEK keys in a europe-west4 Cloud KMS keyring, and export Cloud Audit Logs to a separate logging project.
Store the warehouse in the BigQuery US multi-region, rely on Google-managed default encryption, and isolate access with VPC Service Controls to restrict data exfiltration.
Use BigQuery dual-region (EU, US-multi) for higher availability, encrypt tables with customer-supplied encryption keys kept on-premises, and rotate the keys manually via API.
Request a dedicated single-tenant Google Cloud region connected over Cloud Interconnect, allow default encryption, and depend solely on IAM audit logs stored in the same project for compliance evidence.
Assured Workloads with the EU Regions and Support compliance regime automatically applies organization-policy constraints that keep resources and data in EU locations and limit Google support access to personnel physically located in the EU. Storing BigQuery datasets in an EU location satisfies residency mandates, while enabling CMEK with keys in a Cloud KMS keyring you manage provides demonstrable control of encryption keys for auditors with minimal additional operational burden. Exporting Cloud Audit Logs to a centralized project preserves immutable evidence of key use and administrative access. The other options fail to meet one or more compliance requirements: using the US multi-region violates data-residency, CSEK adds operational overhead and cannot be centrally managed in Cloud KMS, and default Google-managed encryption does not give auditors proof of customer control. A dedicated single-tenant region is not an available offering and default encryption alone is insufficient for the stated compliance needs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Assured Workloads in Google Cloud?
Open an interactive chat with Bash
What is CMEK in Google Cloud and how does it protect data?
Open an interactive chat with Bash
How does exporting Cloud Audit Logs improve compliance in Google Cloud?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .