Google Cloud Professional Machine Learning Engineer — Question 186

You work for a bank with strict data governance requirements. You recently implemented a custom model to detect fraudulent transactions. You want your training code to download internal data by using an API endpoint hosted in your project’s network. You need the data to be accessed in the most secure way, while mitigating the risk of data exfiltration. What should you do?

Answer options

• A. Enable VPC Service Controls for peerings, and add Vertex AI to a service perimeter.
• B. Create a Cloud Run endpoint as a proxy to the data. Use Identity and Access Management (IAM) authentication to secure access to the endpoint from the training job.
• C. Configure VPC Peering with Vertex AI, and specify the network of the training job.
• D. Download the data to a Cloud Storage bucket before calling the training job.

Correct answer: A

Explanation

The correct answer, A, is appropriate because enabling VPC Service Controls adds a layer of security by creating a service perimeter that helps prevent data exfiltration while allowing access to Vertex AI. Option B, while it provides a proxy and IAM authentication, may not offer the same level of security as VPC Service Controls. Option C fails to address the need for a service perimeter, and option D increases the risk of data exfiltration by temporarily storing data in Cloud Storage.