GCP Professional Cloud Security Engineer Practice Question
Your company is migrating a high-volume payment-processing platform to Google Cloud. Cardholder data will be stored in Cloud Storage and BigQuery, each protected with customer-managed encryption keys (CMEK). PCI DSS auditors insist that encryption keys be generated and stored in FIPS 140-2 Level 3-validated hardware located inside Google Cloud. The application must also sustain thousands of cryptographic operations per second while minimizing latency. Which key-management approach should you adopt?
Switch to customer-supplied encryption keys (CSEK) passed with every object upload and query.
Create symmetric keys in Cloud KMS with the software protection level and configure them as CMEK for the services.
Provision a Cloud HSM key ring, generate symmetric keys in the HSM, and use those keys as CMEK for Cloud Storage and BigQuery.
Configure Cloud External Key Manager (EKM) to reference keys stored in your on-premises hardware security module.
Use Cloud HSM to generate and store the CMEK keys. Cloud HSM keeps keys exclusively in FIPS 140-2 Level 3 validated hardware modules hosted within Google data centers, meeting the auditor's requirement that keys reside in-cloud at the specified assurance level. A Cloud HSM key can be selected as the protection mechanism for Cloud Storage and BigQuery CMEK, and each HSM key version can handle roughly 10,000 cryptographic operations per second-ample capacity for a high-volume payment workload with low latency.
Software-protected Cloud KMS keys are only FIPS 140-2 Level 1, which fails the mandate. Cloud External Key Manager stores keys outside Google Cloud, breaching the in-cloud requirement and adding network latency. Customer-supplied encryption keys (CSEK) require the application to supply the key on every request and are not backed by FIPS 140-2 Level 3 hardware, making them unsuitable here.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud HSM and how does it ensure compliance with FIPS 140-2 Level 3?
Open an interactive chat with Bash
How does Cloud HSM sustain thousands of cryptographic operations per second while minimizing latency?
Open an interactive chat with Bash
How do customer-managed encryption keys (CMEK) integrate with services such as Cloud Storage and BigQuery?
Open an interactive chat with Bash
What is Cloud HSM and why is it suitable for PCI DSS compliance?
Open an interactive chat with Bash
How does a Cloud HSM differ from Cloud KMS with software-based protection?
Open an interactive chat with Bash
Why is Cloud External Key Manager (EKM) not appropriate for this scenario?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .