Domain 3 of 6 · Chapter 2 of 2

Compliance

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Professional Cloud Architect premium course — no separate purchase.

Included in this chapter:

  • The compliance contract is shared
  • Locating data: residency vs sovereignty
  • Protecting the data: classify and de-identify
  • Proving it: logs and published reports
  • The frameworks: HIPAA, COPPA, GDPR, PCI, SOC 2
  • Exam-pattern recognition

Matching the compliance job to the Google Cloud control

JobPrimary controlWhat it guaranteesWhat it does NOT do
Know the obligationFramework + BAA / DPADefines covered data, the contract, and who is liable (shared responsibility)No tool makes you compliant by itself; configuration is your half
Constrain location (residency)Region selection + org policy gcp.resourceLocationsLimits where new resources are createdNot a data-storage commitment, not retroactive, no access control
Constrain access (sovereignty)Assured Workloads control packagesResidency plus personnel-access and encryption limits per regimeRestricts supported services; overkill when only residency is needed
Protect the dataSensitive Data Protection (DLP) + CMEKDiscovers, classifies, de-identifies PII/PHI; you hold keysNot intrusion detection; does not enforce where data lives
Prove your actionsCloud Audit Logs (Admin/Data Access/System Event/Policy Denied)Who did what, where, when in your orgData Access logs are off by default and must be enabled
Prove Google's accessAccess TransparencyLogs Google personnel actions on your data with reasonDoes not log your own users' actions (that is Audit Logs)
Prove the platformCompliance Reports ManagerSelf-service Google SOC/ISO/PCI reports and certificatesCovers Google's layers only, not your workload config

Decision tree

What does therequirement need?Where data lives?restrict access too?Protect the dataitself (PII / PHI)?Produce auditevidence for whom?locationprotectproveAssuredWorkloadssovereigntyRegion +org policyresidency onlyyesnoSensitive DataProtection + CMEKclassify, de-identifyYour users:Audit Logs, Data Access onGoogle staff:Access TransparencyPlatform:Compliance Reports ManagerAlways: name the framework first; pick the weakest sufficient control

Cheat sheet

  • Running on Google Cloud does not make your workload compliant
  • Google does not self-certify: certifications come from independent third parties
  • Residency is where data sits; sovereignty is who can reach it
  • Use the org policy gcp.resourceLocations to constrain where new resources are created
  • The resource-locations constraint is not a data-storage commitment
  • Use Assured Workloads when you need residency AND access AND personnel controls together
  • Control packages pin personnel restrictions, e.g. FedRAMP High requires US-based support staff
  • Sensitive Data Protection discovers, classifies, and de-identifies PII and PHI
  • Pick the de-identification technique by what the downstream use still needs
  • Reduce PCI scope by tokenizing the PAN, not by encrypting it
  • Admin Activity audit logs are always on and free and cannot be disabled
  • Data Access audit logs are OFF by default and must be enabled to prove data reads
  • Access Transparency logs what Google personnel do to your data
  • The Compliance Reports Manager evidences the platform, not your config
  • Processing PHI requires a BAA and there is no HIPAA certification
  • Under GDPR the customer is controller and Google is processor
  • COPPA targets data about users under 13; the architecture is data minimization
  • SOC 2 is an attestation report, not a certification
  • The _Required bucket retention is fixed at 400 days; route logs to a Cloud Storage bucket with a locked retention policy for multi-year, tamper-proof retention
  • Security Command Center Premium plus Security Health Analytics gives continuous, benchmark-mapped compliance monitoring

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. PCI DSS compliance on Google Cloud
  2. Compliance Reports Manager
  3. Data residency, operational transparency, and privacy (Well-Architected Framework) Well-Architected
  4. Restricting resource locations (Organization Policy)
  5. Assured Workloads overview
  6. Sensitive Data Protection overview
  7. Cloud Audit Logs overview
  8. Access Transparency overview
  9. HIPAA compliance on Google Cloud
  10. Cloud Data Processing Addendum
  11. SOC 2 compliance on Google Cloud