GCP Professional Cloud Architect Practice Question
Your organization is launching a multi-tenant analytics SaaS on Google Cloud that ingests and stores telemetry data from customer IoT devices. Raw data lands in Cloud Storage and is transformed into BigQuery tables for reporting. The data is not subject to industry regulations that mandate customer control of cryptographic keys, but customers expect all data at rest to be encrypted. The operations team must minimize day-to-day key lifecycle tasks and avoid introducing any new dependencies that could reduce availability. Which key-management approach should you recommend?
Deploy an on-premises Hardware Security Module and integrate it with Cloud External Key Manager so that encryption keys never reside in Google Cloud.
Create Customer-Managed Encryption Keys (CMEK) in Cloud KMS and schedule automatic rotation every 90 days for all buckets and datasets.
Rely on Google-managed encryption keys, which provide default at-rest encryption for Cloud Storage and BigQuery and are automatically created, stored, and rotated by Google without additional effort.
Require each workload to supply Customer-Supplied Encryption Keys (CSEK) on every write request and rotate the keys monthly.
Google-managed encryption keys are applied automatically to all supported storage services-including Cloud Storage and BigQuery-without any configuration. Google creates, stores, and rotates these keys on a regular schedule, so the operations team has no key-lifecycle work. Because keys reside within Google's highly available infrastructure, there is no extra dependency that could affect uptime. Customer-managed encryption keys, customer-supplied encryption keys, or an on-premises HSM with Cloud EKM would all satisfy encryption-at-rest requirements but add operational overhead (policy management, rotation, key delivery, or external service availability) that the team wants to avoid.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Google-managed encryption keys, and how do they work?
Open an interactive chat with Bash
What is the difference between Customer-Managed Encryption Keys (CMEK) and Google-managed encryption keys?
Open an interactive chat with Bash
Why are Customer-Supplied Encryption Keys (CSEK) or external HSMs not recommended in this scenario?
Open an interactive chat with Bash
What are Google-managed encryption keys?
Open an interactive chat with Bash
How do Google-managed encryption keys differ from Customer-Managed Encryption Keys (CMEK)?
Open an interactive chat with Bash
What are the limitations of Customer-Supplied Encryption Keys (CSEK)?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .