Compliance Misconception — GCP Professional Cloud Architect (PCA)
You assumed a compliance or governance model that doesn't match the service's actual capabilities.
Default Encryption Doesn't Satisfy Every Compliance Clause
Architecture requirement: data must meet HIPAA or PCI-DSS controls. Competing choices: Google-managed encryption versus CMEK plus VPC Service Controls. The deciding constraint is key revocability and exfiltration prevention. Google-managed encryption protects data at rest, but the customer cannot revoke key access on demand. CMEK provides that revocation. VPC Service Controls closes exfiltration paths that authenticated API calls would otherwise leave open. Compliance frameworks name both controls explicitly — default encryption satisfies neither requirement alone.
The Scenario
The question asks about meeting a specific regulatory requirement. You assumed that enabling encryption or selecting a region achieves compliance. In reality, compliance frameworks require multiple layers: contractual agreements with the provider, specific service selection, continuous monitoring, audit logging, and often application-level controls for data handling.
How to Spot It
- •Compliance requires three layers: contractual (agreements with the provider), technical (encryption, access control, logging), and procedural (data handling policies, incident response, regular audits). The exam tests whether your answer covers all three.
- •Know the difference between "the service supports compliance framework X" and "using this service makes you compliant with X." Support means the service has the certifications; compliance means you configured it correctly AND handle data according to the framework rules.
- •Compliance frameworks have specific, testable requirements. HIPAA needs a BAA. PCI-DSS needs network segmentation. GDPR needs data subject rights. SOC 2 needs change management. The exam expects you to name the specific requirements, not just the framework.
Decision Rules
At which hierarchy level to apply the gcs.resourceLocations Organization Policy constraint so that the data-residency restriction covers all current and future projects under the Prod folder without requiring per-project remediation.
Whether to enforce PCI-DSS CDE isolation at the folder level (org policy constraints + dedicated billing account) or at the individual project level (project-scoped constraints + cost labels) — determining which scope guarantees policy inheritance for all current and future CDE projects and satisfies the audit separation requirement.
At which resource hierarchy level should the gcs.restrictLocations org policy constraint be applied so that both existing and future child projects in the Prod folder are covered without per-project remediation?
When the security requirement is preventing authenticated data exfiltration across project boundaries rather than controlling who can access a resource, VPC Service Controls — not Cloud IAM — is the correct enforcement mechanism because it creates a context-based API perimeter that blocks calls regardless of the caller's IAM identity.
Whether Google-managed default encryption combined with Admin Activity audit logging satisfies HIPAA key-revocation and tamper-evident retention requirements, or whether CMEK via Cloud KMS plus Data Access audit logs exported to a locked Cloud Storage bucket is the required combination.
Whether Google-managed default encryption plus enabling Cloud Audit Logs satisfies HIPAA ePHI data-control and audit-retention obligations, or whether CMEK via Cloud KMS (for customer-controlled key revocation) combined with VPC Service Controls (for perimeter-based exfiltration prevention) and Cloud Audit Logs exported to a locked Cloud Storage bucket (for WORM-compliant retention) is the required combination.
Whether to enforce the data-boundary requirement with VPC Service Controls (API-level perimeter blocking cross-project API traffic even from authenticated principals) or with Cloud IAM policies and conditions (identity-based access control that governs call authorization but cannot constrain where an authorized principal directs API output).
Whether CMEK-encrypted BigQuery tables backed by a customer-managed Cloud KMS key ring plus Data Access audit log export to a WORM-locked Cloud Storage bucket in a separate project constitutes the compliant posture — versus relying on Google-managed encryption at rest and in-project Cloud IAM activity logs alone.
Domain Coverage
Difficulty Breakdown
Related Patterns