Google Cloud Professional Cloud Security Engineer — Question 331

Your EU-based organization stores both Personally Identifiable Information (PII) and non-PII data in Cloud Storage buckets across multiple Google Cloud regions. EU data privacy laws require that the PII data must not be stored outside of the EU. To help meet this compliance requirement, you want to detect if Cloud Storage buckets outside of the EU contain healthcare data. What should you do?

Answer options

• A. Create a Sensitive Data Protection job. Specify the infoType of data to be detected and run the job across all Google Cloud Storage buckets.
• B. Create a log sink with a filter on resourceLocation.currentLocations. Trigger an alert if a log message appears with a non- EUcountry.
• C. Activate Security Command Center Premium. Use compliance monitoring to detect resources that do not follow the applicable healthcare regulation.
• D. Enforce the gcp.resourceLocations organization policy and add "EU" in a custom rule that only applies on resources with the tag "healthcare".

Correct answer: A

Explanation

The correct answer is A because creating a Sensitive Data Protection job allows for the specific detection of healthcare data across all Cloud Storage buckets, ensuring compliance with EU regulations. Option B focuses on logging and alerting but does not actively detect data types. Option C, while useful for compliance, does not specifically target the detection of healthcare data in non-EU locations. Option D enforces a policy but does not provide a method for identifying existing data in Cloud Storage.