GCP Professional Data Engineer Practice Question

Your company ACME Payments is building a streaming analytics pipeline on Google Cloud to process credit-card transactions from EU customers. Regulations require that (1) all personal data is stored and processed exclusively in EU regions, (2) primary account numbers (PANs) are pseudonymized but remain reversible for future investigations, (3) data analysts must not have access to decryption keys, and (4) the Dataflow pipeline must follow least-privilege principles. Which approach best meets these requirements?

Enforce the constraints/gcp.resourceLocations policy to permit only EU regions; run Dataflow in europe-west1 using Cloud DLP deterministic encryption protected by an EU-resident CMEK key in Cloud KMS; write results to a BigQuery dataset in europe-west1; grant analysts roles/bigquery.dataViewer only; grant the Dataflow service account roles/bigquery.dataEditor on the dataset and roles/cloudkms.cryptoKeyEncrypterDecrypter on the key.
Deploy Dataflow in us-central1, hash PANs with SHA-256 during processing, store the output in a US multi-region BigQuery dataset, and grant analysts only the roles/bigquery.metadataViewer role.
Use Cloud External Key Manager with keys in a US HSM for format-preserving encryption, store the pseudonymized data in a BigQuery dataset in europe-west2, and allow analysts to decrypt by granting them roles/cloudkms.cryptoKeyEncrypterDecrypter.
Enable Assured Workloads for EU but allow resources in any region; in Dataflow apply irreversible DLP redaction before loading to a multi-regional BigQuery dataset; grant analysts roles/bigquery.dataOwner and roles/cloudkms.cryptoKeyDecrypter for investigation needs.

Report Issue

Answer Description

The correct approach enforces the constraints as follows:

Apply the organization-policy constraint constraints/gcp.resourceLocations to allow only EU regions, ensuring Cloud Storage buckets, Dataflow jobs, BigQuery datasets, and Cloud KMS key rings are created inside the EU.
Within the Dataflow job, call Cloud DLP to perform deterministic encryption on the PAN field, using a customer-managed key (CMEK) stored in a Cloud KMS key ring located in an EU region. Deterministic encryption provides reversible pseudonymization while preserving referential integrity.
Persist the transformed data to a BigQuery dataset in an EU region such as europe-west1, satisfying data-residency rules.
Grant data analysts only the roles/bigquery.dataViewer role on the dataset so they can query pseudonymized data but lack any Cloud KMS permissions required to decrypt it.
Grant the Dataflow worker service account the minimum required privileges: roles/bigquery.dataEditor on the target dataset and roles/cloudkms.cryptoKeyEncrypterDecrypter on the specific CMEK key, preventing broader access.

Alternative solutions fail to satisfy one or more requirements: allowing non-EU regions violates residency rules; using irreversible redaction or hashing breaks the reversibility requirement; storing keys outside the EU or granting analysts decrypter privileges violates compliance and least-privilege principles.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.