GCP Professional Cloud Security Engineer Practice Question
A healthcare provider is migrating a 10-year document archive from an on-premises NAS to Cloud Storage. Internal policy requires the following:
If regulators mandate immediate disposal, the data must become unreadable within 24 hours.
Encryption keys must reside in Google Cloud to avoid having to operate or audit on-premises HSMs.
Google must be unable to decrypt the data using its own keys. Which encryption strategy best satisfies these requirements?
Adopt Cloud External Key Manager so the bucket is protected with a key stored in an on-premises HSM, then revoke access to that key if disposal is mandated.
Rely on Google-managed default encryption and configure an object lifecycle delete rule to remove data upon regulatory request.
Perform client-side encryption using customer-supplied encryption keys (CSEK), store the keys off-platform, and discard them when disposal is needed.
Enable a symmetric customer-managed encryption key in Cloud KMS for the bucket and invoke key-version destruction when disposal is required.
Using a symmetric customer-managed encryption key (CMEK) stored in Cloud KMS fulfills all constraints. The key material resides entirely within Google Cloud, so there is no need for an on-premises HSM. If regulators require disposal, you can call projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.destroy to schedule the key version for destruction; the key is disabled immediately and irreversibly destroyed after the mandatory 24-hour waiting period, rendering the encrypted data unrecoverable within the required timeframe. Because Cloud Storage relies solely on the customer-managed key, Google's default keys cannot decrypt the objects. External Key Manager violates the in-cloud key requirement, customer-supplied keys add external operational overhead, and default encryption gives customers no control over crypto-shredding.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does symmetric customer-managed encryption in Cloud KMS work?
Open an interactive chat with Bash
What is crypto-shredding and how does it fulfill disposal requirements?
Open an interactive chat with Bash
Why is Google-managed default encryption not suitable in this scenario?
Open an interactive chat with Bash
What is a customer-managed encryption key (CMEK) in Cloud KMS?
Open an interactive chat with Bash
How does cryptographic key destruction work in Cloud KMS?
Open an interactive chat with Bash
Why doesn't client-side encryption or customer-supplied encryption keys (CSEK) meet the requirements?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .