GCP Professional Cloud Security Engineer Practice Question
A multinational bank is moving its 8-PB on-premises data warehouse to BigQuery. Its risk office states that the cryptographic keys protecting the data must never reside on any public-cloud infrastructure, and that internal auditors need the ability to revoke key material from the bank's own hardware security modules (HSMs) to make the cloud-resident data immediately unreadable. Which Google Cloud encryption approach for the BigQuery datasets best meets these compliance requirements?
Configure BigQuery to use Cloud External Key Manager keys that reside in the bank's on-premises HSMs.
Create CMEK keys backed by software in Cloud KMS and assign them to the BigQuery datasets.
Use Google-managed default encryption for all tables.
Create CMEK keys in Cloud HSM and assign them to the BigQuery datasets.
Cloud External Key Manager allows BigQuery to use customer-supplied keys that are generated, stored, and managed in an HSM under the bank's physical control. Data is encrypted at rest by BigQuery, but the key material never leaves the on-premises HSM; Google Cloud only holds a reference (URI) to it. If auditors disable or delete the key on their HSM, BigQuery loses access and the data becomes unrecoverable-satisfying the separation-of-duties and crypto-shredding requirements. Google-managed default encryption and both software-backed and Cloud HSM-backed CMEK store the key material inside Google infrastructure, so they cannot meet the mandate that keys remain outside the cloud provider.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
What is cryptographic shredding, and how does it work with EKM?
Open an interactive chat with Bash
How does Cloud EKM ensure compliance with separation-of-duties requirements?
Open an interactive chat with Bash
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
What is the difference between CMEK and Cloud External Key Manager keys?
Open an interactive chat with Bash
What is crypto-shredding in the context of Cloud EKM?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .