GCP Professional Cloud Architect Practice Question
Your company, a multinational bank subject to strict financial regulations, is migrating 400 TB of payment records to BigQuery and Cloud Storage. Compliance mandates that: encryption keys remain under the bank's control in an HSM-backed store and are rotated every 90 days; Google personnel must not have access to key material; and incident response teams need the ability to instantly revoke data access if compromise is suspected, with minimal ongoing operational overhead. Which approach best meets these requirements?
Implement client-side encryption with open-source Tink libraries before uploading data and rely on Google-managed encryption for storage-layer protection, rotating keys in the application code.
Protect the datasets with Cloud KMS HSM-backed customer-managed encryption keys, enable automatic rotation every 90 days, and disable the key in KMS to revoke access when required.
Enable default Google-managed encryption and export Cloud Audit Logs to demonstrate that Google rotates the keys on the bank's behalf.
Use customer-supplied encryption keys delivered with each API call, store the keys in the bank's on-premises HSM, and manually rotate them every 90 days.
Customer-managed encryption keys (CMEK) held in Cloud KMS satisfy all stated controls. An HSM-protected key ring ensures the bank, not Google, owns the key material. BigQuery and Cloud Storage natively accept CMEK, so data remains encrypted with the bank's key. Automatic key rotation policies can be set to 90 days, reducing operational toil. If a compromise is suspected, security staff can disable the key or key version in Cloud KMS; all resources encrypted with that key become unreadable within minutes, meeting the rapid revocation requirement. Google-managed keys fail the ownership requirement, CSEK is unsupported by BigQuery and requires manual rotation for every request, and client-side encryption adds significant application overhead while still leaving storage-layer encryption outside the bank's control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud KMS and how does it ensure key security?
Open an interactive chat with Bash
What is the difference between CMEK and Google-managed encryption keys?
Open an interactive chat with Bash
How does disabling a key in Cloud KMS affect data access in BigQuery and Cloud Storage?
Open an interactive chat with Bash
What is Cloud KMS and how does it support HSM-backed encryption keys?
Open an interactive chat with Bash
How does key rotation work in Cloud KMS, and why is it important?
Open an interactive chat with Bash
What is the difference between customer-managed encryption keys (CMEK) and customer-supplied encryption keys (CSEK)?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .