Google Professional Cloud Security Engineer Exam - Topic 3 Question 70 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam

Question #: 70
Topic #: 3

[All Professional Cloud Security Engineer Questions]

You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive dat

a. You need to meet these requirements;

* Manage the data encryption key (DEK) outside the Google Cloud boundary.

* Maintain full control of encryption keys through a third-party provider.

* Encrypt the sensitive data before uploading it to Cloud Storage

* Decrypt the sensitive data during processing in the Compute Engine VMs

* Encrypt the sensitive data in memory while in use in the Compute Engine VMs

What should you do?

Choose 2 answers

ACreate a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

BMigrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

CConfigure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs

DCreate Confidential VMs to access the sensitive data.

EConfigure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Show Suggested Answer

Suggested Answer: C, D

https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance#considerations

Confidential VM does not support live migration. You can only enable Confidential Computing on a VM when you first create the instance. https://cloud.google.com/confidential-computing/confidential-vm/docs/creating-cvm-instance

by Timothy at Dec 21, 2023, 12:34 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Security Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Son

4 months ago

Not convinced that just using Confidential VMs is enough.

upvoted 0 times

...

Darell

4 months ago

C and E seem like the safest options here. Totally agree!

upvoted 0 times

...

Haydee

4 months ago

Wait, can you really manage keys outside Google Cloud? Sounds risky!

upvoted 0 times

...

Brock

4 months ago

I think B is a solid choice too, but not sure about A.

upvoted 0 times

...

Alexis

4 months ago

Definitely go with C and E for the best data protection!

upvoted 0 times

...

Destiny

5 months ago

I’m a bit confused about the service perimeter in option A. I thought it was more about access control than encryption.

upvoted 0 times

...

Jesusa

5 months ago

I practiced a similar question where we had to manage encryption keys. I feel like option E might be the right answer for encrypting data before uploading.

upvoted 0 times

...

Carylon

5 months ago

I'm not entirely sure, but I think migrating to Confidential VMs could help with data protection. Option B seems relevant.

upvoted 0 times

...

Tom

5 months ago

I remember something about using external key management for encryption, so maybe option C is a good choice.

upvoted 0 times

...

Sharee

5 months ago

I'm a bit unsure about this one. There are a lot of moving parts with the encryption requirements. I'll need to really think through the options and make sure I'm addressing all the compliance needs.

upvoted 0 times

...

Adaline

5 months ago

This is a tough one, but I'm feeling confident. I think the key is to use Confidential VMs to access the sensitive data and then configure Customer Managed Encryption Keys to handle the encryption and decryption. That should give me the control and security I need.

upvoted 0 times

...

Gary

5 months ago

Okay, I've got a plan. I think the best approach is to use Cloud External Key Manager to handle the encryption and decryption of the sensitive data. That way, I can maintain control of the keys through a third-party provider and encrypt/decrypt the data at the right points in the workflow.

upvoted 0 times

...

Reuben

5 months ago

I'm a bit confused by all the different encryption requirements here. I'll need to carefully read through the question again and think through the steps to make sure I meet all the compliance needs.

upvoted 0 times

...

Cyril

5 months ago

This seems like a tricky question, but I think I can tackle it. The key is to focus on the data encryption requirements - managing the encryption keys outside of Google Cloud, maintaining full control through a third-party provider, and encrypting/decrypting the data at the right points.

upvoted 0 times

...

Bronwyn

6 months ago

Discard-unknown seems like a good option, but I want to double-check the other choices to make sure I'm not missing something.

upvoted 0 times

...

Brent

6 months ago

This seems like a straightforward question about the different options for training auditors. I'll need to carefully consider the pros and cons of each approach to determine the best choice.

upvoted 0 times

...

Celestina

2 years ago

Agreed, those two options seem the most comprehensive. The Confidential VMs in options B and D are a bit overkill, in my opinion.

upvoted 0 times

...

Berry

2 years ago

Hmm, I'm thinking options C and E are the way to go. Configuring Cloud External Key Manager and Customer Managed Encryption Keys seem like the best way to meet all the requirements.

upvoted 0 times

...

Dorathy

2 years ago

Exactly. I wouldn't want to be the one who has to explain to the compliance team why we didn't do that. That's a conversation I'd rather avoid.

upvoted 0 times

William

2 years ago

By following these steps, we can ensure that the sensitive data is properly encrypted and protected at all times.

upvoted 0 times

...

Page

2 years ago

B) Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

upvoted 0 times

...

Glenna

2 years ago

I agree, it's crucial to meet the data protection requirements for sensitive data.

upvoted 0 times

...

Arleen

2 years ago

E) Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

upvoted 0 times

...

Ligia

2 years ago

A) Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets

upvoted 0 times

...

Roosevelt

2 years ago

Haha, yeah, Confidential VMs are like the fancy sports car of VMs - you really only need them if you're trying to impress someone.

upvoted 0 times

...