Module 6: Supporting Compliance Requirements

Looking for ‘Preparing for Your Professional Cloud Security Engineer Journey Module 5 Answers’?

In this post, I provide complete, accurate, and detailed explanations for the answers to Module 5: Managing Operations of Course 1: Preparing for Your Professional Cloud Security Engineer JourneyPreparing for Google Cloud Certification: Cloud Security Engineer Professional Certificate.

Whether you’re preparing for quizzes or brushing up on your knowledge, these insights will help you master the concepts effectively. Let’s dive into the correct answers and detailed explanations for each question!

Diagnostic questions

Practice Assignment

1. Cymbal Bank’s lending department stores sensitive information, such as your customers’ credit history, address and phone number, in parquet files. You need to upload this personally identifiable information (PII) to Cloud Storage so that it’s secure and compliant with ISO 27018. How should you protect this sensitive information using Cymbal Bank’s encryption keys and using the least amount of computational resources?

  • Generate an RSA key as a 32-byte bytestring. Decode it as a base-64 string. Upload the blob to the bucket using this key.
  • Generate a customer-managed encryption key (CMEK) using Cloud KMS. Decode it as a base-64 string. Upload the blob to the bucket using this key.
  • Generate a customer-managed encryption key (CMEK) using RSA or AES256 encryption. Decode it as a base-64 string. Upload the blob to the bucket using this key.
  • Generate an AES-256 key as a 32-byte bytestring. Decode it as a base-64 string. Upload the blob to the bucket using this key. ✅

Explanation:
This uses Customer-Supplied Encryption Keys (CSEK) — which means Cymbal Bank retains full control of the encryption keys (as required). AES-256 is strong, secure, and computationally efficient, meeting ISO 27018.

2. You are designing a web application for Cymbal Bank so that customers who have credit card issues can contact dedicated support agents. Customers may enter their complete credit card number when chatting with or emailing support agents. You want to ensure compliance with PCI-DSS and prevent support agents from viewing this information in the most cost-effective way. What should you do?

  • Implement Cloud Data Loss Prevention using its REST API. ✅
  • Use customer-supplied encryption keys (CSEK) and Cloud Key Management Service (KMS) to detect and encrypt sensitive information.
  • Detect sensitive information with Cloud Natural Language API.
  • Use customer-managed encryption keys (CMEK) and Cloud Key Management Service (KMS) to detect and encrypt sensitive information.

Explanation:
Cloud DLP API is specifically designed to detect and redact sensitive data like credit card numbers to comply with PCI-DSS. It’s the most cost-effective and accurate tool for this use case.

3. You are a cloud engineer at Cymbal Bank. You need to share the auditing and compliance standards with your CTO that cover controls over financial reporting and both public and private controls over security, availability, and confidentiality. Which compliance standard covers this?

  • SOX ✅
  • PCI-DSS
  • FIPs 140-2
  • GDPR

Explanation:
SOX governs financial reporting and internal controls in public companies, ensuring the accuracy, security, and integrity of financial data.

4. Cymbal Bank’s Insurance Analyst needs to collect and store anonymous protected health information of patients from various hospitals. The information is currently stored in Cloud Storage, where each hospital has a folder that contains its own bucket. You have been tasked with collecting and storing the healthcare data from these buckets into Cymbal Bank’s Cloud Storage bucket while maintaining HIPAA compliance. What should you do?

  • Create a new Project. Create a new Cloud Storage bucket in this Project with customer-supplied encryption keys (CSEK). Give the Insurance Analyst the ‘Reader’ role on the Project that contains the Cloud Storage bucket. Use the DLP API to find and mask personally identifiable information (PII) data to comply with HIPAA.
  • Use the Cloud Healthcare API to read the data from the hospital buckets and use de-identification to redact the sensitive information. Use Dataflow to ingest the Cloud Healthcare API feed and write data in a new Project that contains the Cloud Storage bucket. Give the Insurance Analyst the ‘Editor’ role on this Project. ✅
  • Create a new folder. Create a new Cloud Storage bucket in this folder. Give the Insurance Analyst the ‘Editor’ role on the new folder. Collect all hospital data in this bucket. Use the Google Cloud Healthcare Data Protection Toolkit to monitor this bucket.
  • Create a new Project. Use the Google Cloud Healthcare Data Protection Toolkit to set up a collection bucket, monitoring alerts, audit log sinks, and Forseti monitoring resources. Use Dataflow to read the data from source buckets and write to the new collection buckets. Give the Insurance Analyst the ‘Editor’ role on the collection bucket.

Explanation:

  • Cloud Healthcare API provides built-in support for de-identification (essential for HIPAA).
  • Dataflow ensures scalable and secure data movement.
  • This is the only option that both stores data securely and ensures anonymization (which was the key feedback you received).

5. Cymbal Bank plans to launch a new public website where customers can pay their equated monthly installments (EMI) using credit cards. You need to build a secure payment processing solution using Google Cloud which should follow the PCI-DSS isolation requirements. How would you architect a secure payment processing environment with Google Cloud services to follow PCI-DSS? (Select the two correct choices)

  • Create a new Google Cloud project with restricted access (separate from production environment) for the payment processing solution. Configure firewall rules, a VPN tunnel, and an Application Load Balancer for a new Compute Engine instance. ✅
  • Create a new Google Cloud project with restricted access (separate from production environment) for the payment processing solution. Configure firewall rules, a VPN tunnel, and a proxy Network Load Balancer for a new App Engine flexible environment.
  • Deploy a Linux base image from preconfigured operating system images. Install only the libraries you need. Deploy using Terraform. ✅
  • Create a new Google Cloud project with restricted access (separate from production environment) for the payment processing solution. Create a new Compute Engine instance and configure firewall rules, a VPN tunnel, and an internal load balancer.
  • Deploy an Ubuntu Compute Engine instance. Install the libraries needed for payment solutions and encryption/decryption. Deploy using Terraform.

Explanation:
To meet PCI-DSS isolation and security requirements, you should isolate your payment environment from your production systems by creating a separate Google Cloud project with restricted access. This ensures administrative and network-level isolation of sensitive payment processing infrastructure.

Deploying a Compute Engine instance gives you full control over the OS and security configurations, which is critical for compliance. You must configure firewall rules to restrict access, use a VPN tunnel to encrypt internal communication, and place an Application Load Balancer in front to securely expose your services to the public with HTTPS and SSL termination.

In addition, deploying a minimal Linux base image ensures only necessary components are installed—reducing the attack surface. Using Terraform enables infrastructure as code, which improves auditability, repeatability, and consistency, all of which are essential for passing PCI-DSS audits.

Knowledge Check

Graded Assignment

6. Cymbal Bank has a compliance requirement to have control over key lifecycle and rotation periods. Which Google Cloud feature can they leverage to satisfy that requirement?

  • VPC service controls
  • Audit logs
  • PCI-DSS compliance
  • CMEK with Cloud KMS ✅

Explanation:
Customer-Managed Encryption Keys (CMEK) with Cloud Key Management Service (Cloud KMS) allow Cymbal Bank to manage the lifecycle of encryption keys—including creation, rotation, disabling, and destruction—giving them full control to meet compliance requirements.

7. Cymbal Bank has compliance requirements to ensure certain data is stored, processed, and never transferred or used outside of Europe. Which Google Cloud feature can help them achieve this?

  • Sensitive Data Protection
  • Organization policy constraints
  • Audit logs
  • VPC service controls ✅

Explanation:
VPC Service Controls help enforce data locality and boundary controls in Google Cloud. They can be used to:

  • Prevent data exfiltration by controlling where data is accessed from.
  • Restrict access to Google-managed services based on network context and location.
  • Build service perimeters around sensitive data services (e.g., Cloud Storage, BigQuery) so that data cannot be transferred or accessed outside a specific geographical region, like Europe.

Related contents:

Module 2: Configuring Access
Module 3: Securing Communications and Establishing Boundary Protection
Module 4: Ensuring Data Protection
Module 5: Managing Operations

You might also like:

Course 2: Google Cloud Fundamentals: Core Infrastructure
Course 3: Networking in Google Cloud: Fundamentals
Course 4: Networking in Google Cloud: Routing and Addressing
Course 5: Networking in Google Cloud: Network Architecture
Course 6: Networking in Google Cloud: Network Security
Course 7: Networking in Google Cloud: Load Balancing
Course 8: Networking in Google Cloud: Hybrid and Multicloud
Course 9: Managing Security in Google Cloud
Course 10: Security Best Practices in Google Cloud
Course 11: Mitigating Security Vulnerabilities on Google Cloud
Course 12: Logging and Monitoring in Google Cloud
Course 13: Observability in Google Cloud
Course 14: Hands-On Labs in Google Cloud for Security Engineers

Leave a Reply