Google Cloud Professional Cloud Security Engineer — Question 330

You are working with developers to secure custom training jobs running on Vertex AI. For compliance reasons, all supported data types must be encrypted by key materials that reside in the Europe region and are controlled by your organization. The encryption activity must not impact the training operation in Vertex AI. What should you do?

Answer options

• A. Encrypt the code, training data, and metadata with Google default encryption. Use customer-managed encryption keys (CMEK) for the trained models exported to Cloud Storage buckets.
• B. Encrypt the code, training data, metadata, and exported trained models with customer-managed encryption keys (CMEK).
• C. Encrypt the code, training data, and exported trained models with customer-managed encryption keys (CMEK).
• D. Encrypt the code, training data, and metadata with Google default encryption. Implement an organization policy that enforces a constraint to restrict the Cloud KMS location to the Europe region.

Correct answer: B

Explanation

The correct answer is B because it ensures that all components, including code, training data, metadata, and exported models, are protected with customer-managed encryption keys (CMEK), thus meeting compliance requirements. Options A and D do not apply CMEK to all necessary data types, and option C fails to include metadata in the encryption, which is crucial for full compliance.