Google Cloud Professional Cloud Security Engineer — Question 327

You work for a healthcare provider that is expanding into the cloud to store and process sensitive patient data. You must ensure the chosen Google Cloud configuration meets these strict regulatory requirements:

• Data must reside within specific geographic regions.
• Certain administrative actions on patient data require explicit approval from designated compliance officers.
• Access to patient data must be auditable.

What should you do?

Answer options

• A. Select a standard Google Cloud region. Restrict access to patient data based on user location and job function by using Access Context Manager. Enable both Cloud Audit Logging and Access Transparency.
• B. Deploy an Assured Workloads environment in an approved region. Configure Access Approval for sensitive operations on patient data. Enable both Cloud Audit Logs and Access Transparency.
• C. Deploy an Assured Workloads environment in multiple regions for redundancy. Utilize custom IAM roles with granular permissions. Isolate network-level data by using VPC Service Controls.
• D. Select multiple standard Google Cloud regions for high availability. Implement Access Control Lists (ACLs) on individual storage objects containing patient data. Enable Cloud Audit Logs.

Correct answer: B

Explanation

The correct answer, B, ensures compliance by deploying an Assured Workloads environment in a region approved for sensitive data, while also allowing for Access Approval for critical operations. Options A, C, and D do not fully meet all the regulatory requirements, such as explicit approval for administrative actions and ensuring data resides in compliant regions.