GCP Professional Cloud Security Engineer Practice Question
A financial-services company protects multiple Cloud Storage buckets with a single symmetric CMEK key stored in Cloud KMS. Internal policy mandates that the key must rotate every 90 days without requiring engineers to run scripts, and auditors need to trace exactly which key version encrypted each object. What is the most operationally efficient way to satisfy both requirements while avoiding downtime for the buckets?
Delete the current primary key version every 90 days so that Cloud Storage automatically falls back to Google-managed encryption, then recreate and reassign the CMEK key after audits are complete.
Schedule a Cloud Function to export the existing key material and immediately re-import it as a new key version every 90 days, updating IAM policies to grant access to the re-imported key.
Configure automatic rotation on the symmetric key by setting a 90-day rotation period and a next-rotation timestamp; Cloud KMS will create a new primary key version on schedule, and Cloud Storage will transparently start using it while recording the version in object metadata and audit logs.
Every 90 days, create a new key ring that contains a freshly generated key and use a deployment script to update each bucket's CMEK reference to the new key, then disable the old key ring.
Automatic rotation is a built-in Cloud KMS feature for symmetric keys. By specifying rotation_period (for example, 7776000 s ≈ 90 days) and next_rotation_time, Cloud KMS automatically generates a new key version and promotes it to primary on schedule. Services such as Cloud Storage immediately begin encrypting new data with the new primary version; previously encrypted data remains accessible with its original version, ensuring zero downtime. Each object's metadata and Cloud Audit Logs record the exact key version used, satisfying audit requirements. Manually creating new keys, exporting key material, or deleting active versions increases operational overhead or risks data inaccessibility, and temporarily reverting to Google-managed keys would violate the CMEK mandate.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is automatic key rotation in Cloud KMS?
Open an interactive chat with Bash
How does Cloud Storage handle key version metadata for auditing?
Open an interactive chat with Bash
Why does manually managing CMEK keys increase operational overhead?
Open an interactive chat with Bash
What is CMEK in Google Cloud?
Open an interactive chat with Bash
How does automatic key rotation work in Cloud KMS?
Open an interactive chat with Bash
What is the difference between a key ring and a key version in Cloud KMS?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .