Adopt controls that explicitly meet the obligations of applicable regulations and align with the firm's risk tolerance is correct.

This option is correct because choosing controls to satisfy specific legal and regulatory obligations ensures the firm meets GDPR HIPAA and CCPA requirements while also addressing the organisation's appetite for risk. Mapping controls to regulations produces clear evidence for audits and regulators and it helps prioritise resources toward what the law and the business actually require.

Implementing controls with this goal in mind also supports consistent documentation testing and monitoring which are essential for ongoing compliance. It allows the firm to select technical and administrative measures that are appropriate for the sensitivity of the data and for the threat environment while staying within the declared risk tolerance.

Use only Google Cloud native security products regardless of regulatory requirements is incorrect because using a single vendor for all controls may not satisfy specific regulatory obligations or the firm’s risk needs. Different regulations may require particular administrative or organisational measures and the cloud provider model also involves shared responsibilities that must be addressed beyond provider native tools.

Select the most cost effective and cutting edge solutions to showcase a strong security posture is incorrect because cost and novelty do not guarantee compliance or suitability. New technologies may be unproven and cost focused choices can leave gaps in regulatory coverage and in controls that manage the firm’s actual risks.

Prioritize controls that can be implemented fastest to minimize project duration and resource use is incorrect because speed alone can sacrifice effectiveness and compliance. Some required controls demand careful design testing and documentation and quick implementations can create audit failures or leave sensitive data exposed.

Full AWS Practitioner Certification Question