GCP Professional Cloud Security Engineer Practice Question
Your healthcare analytics platform runs on several Compute Engine VMs in us-central1. Each VM uses a zonal Persistent Disk that was created with Google-managed default encryption. New compliance requirements say you must control the encryption keys so that deleting a key renders its data permanently unreadable. You must migrate to customer-managed encryption keys (CMEK) with no data leaving us-central1 and with at most one reboot per VM. What should you do?
Create a Cloud HSM key in us-central1, export every disk to Cloud Storage, import each as an image encrypted with the key, create new disks from the images, and rebuild the VMs from scratch.
Create a symmetric Cloud KMS key in a key ring located in us-central1 and grant the Compute Engine service account the CryptoKey Encrypter/Decrypter role. Snapshot each existing disk, create a new disk from the snapshot specifying the CMEK key, attach it to the VM, and reboot once.
Enable Confidential VMs on every instance; this automatically converts attached Persistent Disks to CMEK without requiring snapshots or reboots.
Create a symmetric Cloud KMS key in location "global", grant the project Roles/Editor to that key, and update each existing Persistent Disk in place with gcloud compute disks update --csek-key-file.
Persistent Disks encrypted with Google-managed keys cannot be converted in place to CMEK. The recommended process is to create a snapshot of each disk and then create a new disk from that snapshot while specifying a Cloud KMS key located in the same region. Before the disks can use the key, the service account that attaches the disks must have the Cloud KMS CryptoKey Encrypter/Decrypter role. After the new CMEK-protected disks are attached, each VM only needs a single reboot to switch boot or data disks. Keys created in the global location are not supported for Persistent Disks, exporting the disk to Cloud Storage and recreating images introduces unnecessary downtime and data movement, and enabling Confidential VMs does not change existing disk encryption.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is CMEK in GCP?
Open an interactive chat with Bash
Why is a snapshot required before migrating to CMEK?
Open an interactive chat with Bash
Why is the location of the Cloud KMS key important?
Open an interactive chat with Bash
What is CMEK in GCP and how does it differ from Google-managed encryption keys?
Open an interactive chat with Bash
Why do Persistent Disks in GCP need a snapshot when migrating to CMEK?
Open an interactive chat with Bash
Why should the Cloud KMS key be created in the same region as the Persistent Disks?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .