DumpsBox
Home/google/Free Google Cloud Architect Actual Exam Questions/Question 1
← Back to Exam

Free Google Cloud Architect Actual Exam Questions - Question 1 Discussion

Question No. 1
A Compute Engine VM is running a critical database. To secure its private key from
disk theft and comply with FIPS 140-2 Level 3, the key must be stored in a dedicated
hardware security module (HSM). Which GCP service should be used?
Select one option, then reveal solution.
US
UE
Usman E.
2026-02-19

It’s A because only Cloud HSM provides dedicated hardware meeting FIPS 140-2 Level 3.

0
UE
Usman E.
2026-02-18

D imo, because Cloud KMS software-backed keys don’t provide the hardware isolation needed for FIPS 140-2 Level 3, which is a strict requirement here. Cloud Storage with CMEK (C) just manages encryption keys but doesn’t guarantee hardware-level security. IAM (B) is just about permissions, not actual key storage. So A makes sense since it uses dedicated hardware modules specifically designed for high-assurance key protection.

0
UE
Usman E.
2026-02-16

Option A since Cloud HSM offers dedicated hardware for high-level key security.

0
RD
Rayan D.
2026-02-12

A. Cloud HSM is the only option here that provides a dedicated hardware module and meets FIPS 140-2 Level 3 for key protection, unlike software-based or general storage options.

0
KZ
Kevin Z.
2026-01-28

I get why A and B are popular picks, but what about E? Using GKE private clusters can significantly boost security for Kubernetes workloads, which should help with compliance too. Could that be a better choice than something like D?

0
FQ
Farhan Q.
2026-01-27

E imo, A and B are the only ones directly tied to compliance and legal requirements here.

0
RP
Ravi P.
2026-01-27

B - Running a BAA is mandatory for handling protected health info on cloud services.

0
RP
Ravi P.
2026-01-24

I also think A and B fit best. Making sure the products are compliant (A) is a key first step since you can’t just assume everything on Google Cloud is fine for healthcare data. Plus, the BAA (B) is basically non-negotiable for HIPAA stuff—it formalizes how Google handles patient info. Options like C and D don’t directly address compliance, and E is more about security but not specifically privacy compliance for the audit. So yeah, A and B seem like the only solid choices here.

0
RP
Ravi P.
2026-01-20

Makes sense to go with A and B here. Checking the compliant products (A) ensures you're not using anything risky, and the BAA (B) is crucial for meeting HIPAA requirements when dealing with healthcare data. Options like C, D, and E are more about implementation details or security measures, but they don’t directly address the compliance audit aspect as strongly as A and B do.

0
RP
Ravi P.
2026-01-18

It’s A and B, gotta confirm compliance and get that BAA signed.

0