GCP Professional Cloud Security Engineer Practice Question
A retail bank headquartered in Frankfurt is migrating customer account statements to Google Cloud. German banking regulations require that every copy of the statements, as well as the encryption keys protecting them, remain physically in Germany. Operations wants to avoid manual key-handling tasks but still control when keys are rotated every quarter. Which Google Cloud design best fulfills the regulatory and operational requirements?
Configure a Cloud Storage custom dual-region bucket across europe-west3 and europe-west1 (Belgium) and protect data with customer-supplied encryption keys that are uploaded during each quarterly rotation.
Store the statements in a Cloud Storage regional bucket in europe-west3 protected by a Cloud KMS CMEK whose key ring is also in europe-west3, and configure automatic key rotation for 90-day intervals.
Create a custom dual-region bucket spanning europe-west3 (Frankfurt) and europe-central2 (Warsaw) and encrypt it with a Cloud KMS CMEK stored in europe-west3.
Use a Cloud Storage multi-region bucket in europe-4 and rely on Google-managed encryption keys to avoid key-rotation tasks.
A regional Cloud Storage bucket located in europe-west3 (Frankfurt) guarantees that all data is stored only in data centers physically located in Germany. Protecting the bucket with a customer-managed encryption key (CMEK) whose key ring is also hosted in europe-west3 keeps the cryptographic material in the same jurisdiction. Cloud KMS allows the bank to set an automatic rotation schedule (for example, every 90 days), eliminating the need to upload or manually re-encrypt data while still giving the customer full control over the key lifecycle.
The other options violate either the data-residency requirement (by storing data or keys outside Germany) or impose unnecessary operational overhead (for example, by requiring manual customer-supplied key management).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Cloud KMS CMEK and how does it differ from Google-managed encryption keys?
Open an interactive chat with Bash
What is the significance of using regional buckets versus multi-region or dual-region buckets in Google Cloud?
Open an interactive chat with Bash
How does automatic key rotation in Cloud KMS help with operational efficiency?
Open an interactive chat with Bash
What is Cloud KMS and how does it help manage encryption keys?
Open an interactive chat with Bash
What is a Cloud Storage regional bucket, and why is it important for compliance?
Open an interactive chat with Bash
How does automatic key rotation in Cloud KMS work?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .