Compliance
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Professional Cloud Architect premium course — no separate purchase.
Included in this chapter:
- The compliance contract is shared
- Locating data: residency vs sovereignty
- Protecting the data: classify and de-identify
- Proving it: logs and published reports
- The frameworks: HIPAA, COPPA, GDPR, PCI, SOC 2
- Exam-pattern recognition
Matching the compliance job to the Google Cloud control
| Job | Primary control | What it guarantees | What it does NOT do |
|---|---|---|---|
| Know the obligation | Framework + BAA / DPA | Defines covered data, the contract, and who is liable (shared responsibility) | No tool makes you compliant by itself; configuration is your half |
| Constrain location (residency) | Region selection + org policy gcp.resourceLocations | Limits where new resources are created | Not a data-storage commitment, not retroactive, no access control |
| Constrain access (sovereignty) | Assured Workloads control packages | Residency plus personnel-access and encryption limits per regime | Restricts supported services; overkill when only residency is needed |
| Protect the data | Sensitive Data Protection (DLP) + CMEK | Discovers, classifies, de-identifies PII/PHI; you hold keys | Not intrusion detection; does not enforce where data lives |
| Prove your actions | Cloud Audit Logs (Admin/Data Access/System Event/Policy Denied) | Who did what, where, when in your org | Data Access logs are off by default and must be enabled |
| Prove Google's access | Access Transparency | Logs Google personnel actions on your data with reason | Does not log your own users' actions (that is Audit Logs) |
| Prove the platform | Compliance Reports Manager | Self-service Google SOC/ISO/PCI reports and certificates | Covers Google's layers only, not your workload config |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- PCI DSS compliance on Google Cloud
- Compliance Reports Manager
- Data residency, operational transparency, and privacy (Well-Architected Framework) Well-Architected
- Restricting resource locations (Organization Policy)
- Assured Workloads overview
- Sensitive Data Protection overview
- Cloud Audit Logs overview
- Access Transparency overview
- HIPAA compliance on Google Cloud
- Cloud Data Processing Addendum
- SOC 2 compliance on Google Cloud