Google Professional-Cloud-Architect Exam With Confidence Using Practice Dumps

According to the Apigee API Platform documentation, the Quota policy is the primary mechanism used to enforce business-level constraints by limiting the number of request messages an API proxy allows over a specific period of time (such as a minute, hour, day, week, or month). For a media company like Altostrat, which aims to "unlock new revenue streams through targeted marketing" and "drive revenue growth," managing API consumption is critical for cost predictability and monetization strategies.

Google Cloud distinguishes between Spike Arrest and Quota policies. While Spike Arrest is designed for operational safety—protecting backend systems from sudden traffic bursts—the Quota policy is specifically used to enforce business contracts, Service Level Agreements (SLAs), and cost management. By configuring a Quota policy, Altostrat can ensure that no single consumer or application exceeds the total volume of calls that would result in unexpected infrastructure costs or exceed the limits of their current subscription tier.

Options A and B (API Key and OAuth) are essential for authentication and authorization—identifying who is making the call—but they do not inherently limit the volume of calls. Option D (XML threat protection) is a security measure to prevent malformed payload attacks. Therefore, to meet the specific business requirement of "Reliability and cost management," implementing Quota policies within Apigee is the architecturally correct choice to prevent API abuse and manage operational expenditure.

According to Google Cloud Architecture Framework and Cloud KMS documentation, when a customer requires direct control and auditability over the encryption keys used for data at rest, Customer-Managed Encryption Keys (CMEK) is the recommended path.

While Google Cloud encrypts all data at rest by default using Google-managed keys (Option B), Altostrat specifically requires control and auditability. By using CMEK through Cloud Key Management Service (Cloud KMS), Altostrat can manage the key rotation schedules, revoke access to keys immediately to "kill" access to the data, and view detailed logs in Cloud Audit Logs every time the key is used to encrypt or decrypt a media asset.

Option D is superior to Option C because client-side encryption with a self-managed HashiCorp Vault adds significant operational overhead and complexity, contradicting the business requirement to "Simplify infrastructure management." CMEK integrates natively with Cloud Storage, allowing for a seamless experience while meeting the strict security requirements for sensitive documentaries and interviews. Furthermore, the use of IAM roles and groups for fine-grained access control aligns with the principle of least privilege, ensuring that only authorized service accounts and users can access the sensitive buckets and the keys required to decrypt them.