Google Exam Professional-Cloud-Security-Engineer Topic 3 Question 70 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam

Question #: 70
Topic #: 3

[All Professional Cloud Security Engineer Questions]

You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive dat

a. You need to meet these requirements;

* Manage the data encryption key (DEK) outside the Google Cloud boundary.

* Maintain full control of encryption keys through a third-party provider.

* Encrypt the sensitive data before uploading it to Cloud Storage

* Decrypt the sensitive data during processing in the Compute Engine VMs

* Encrypt the sensitive data in memory while in use in the Compute Engine VMs

What should you do?

Choose 2 answers

ACreate a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

BMigrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

CConfigure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

DCreate Confidential VMs to access the sensitive data.

EConfigure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Show Suggested Answer

Suggested Answer: C, D

https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance#considerations

Confidential VM does not support live migration. You can only enable Confidential Computing on a VM when you first create the instance. https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance

by Timothy at Dec 21, 2023, 12:34 AM

Limited Time Offer

25%

Off

Get Premium Professional-Cloud-Security-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Celestina

10 days ago

Agreed, those two options seem the most comprehensive. The Confidential VMs in options B and D are a bit overkill, in my opinion.

upvoted 0 times

...

Berry

11 days ago

Hmm, I'm thinking options C and E are the way to go. Configuring Cloud External Key Manager and Customer Managed Encryption Keys seem like the best way to meet all the requirements.

upvoted 0 times

...

Dorathy

12 days ago

Exactly. I wouldn't want to be the one who has to explain to the compliance team why we didn't do that. That's a conversation I'd rather avoid.

upvoted 0 times

...

Roosevelt

13 days ago

Haha, yeah, Confidential VMs are like the fancy sports car of VMs - you really only need them if you're trying to impress someone.

upvoted 0 times

...