A government agency requires FedRAMP High compliance for their Google Cloud deployment. Which service should they use to create a compliant environment with pre-configured controls?
Assured Workloads automates the creation of a compliant environment for FedRAMP, HIPAA, etc., with pre-built controls and continuous monitoring.
Why this answer
Assured Workloads is the correct service because it enables customers to create a Google Cloud environment that is pre-configured to meet specific compliance requirements, including FedRAMP High. It automatically applies a set of controls (e.g., data residency, encryption key management, and access restrictions) based on the chosen compliance regime, reducing the manual effort needed to achieve and maintain certification.
Exam trap
Google Cloud often tests the misconception that a single security tool (like Cloud HSM or VPC Service Controls) is sufficient for full compliance, when in reality Assured Workloads is the only option that provides a holistic, pre-configured compliance environment.
How to eliminate wrong answers
Option A is wrong because Cloud HSM is a hardware security module service that provides FIPS 140-2 Level 3 validated key management, but it does not create a pre-configured compliant environment or enforce broader FedRAMP controls like data residency or access boundaries. Option B is wrong because VPC Service Controls provides a security perimeter to prevent data exfiltration from VPC services, but it is a single control mechanism, not a comprehensive environment that pre-configures all FedRAMP High requirements. Option C is wrong because Security Command Center is a security and risk management platform that provides visibility, threat detection, and compliance reporting, but it does not automatically deploy a pre-configured compliant environment; it monitors and assesses existing configurations.