GCP Professional Cloud Security Engineer Practice Question
Your organization is migrating sensitive genomics data to Cloud Storage. A regional privacy law requires that the encryption keys must never leave the company-owned, on-premises HSM cluster, and security policy mandates that any dataset can be rendered unreadable at once by disabling the on-prem key. Developers do not want to modify application code beyond selecting an encryption option for the bucket. Which Google Cloud approach best satisfies these requirements?
Configure CMEK with a software-backed symmetric key stored in Cloud KMS and rotate it quarterly.
Enable Customer-Managed Encryption Keys backed by Cloud HSM for the bucket.
Protect the bucket with a Cloud External Key Manager (EKM) key and enable CMEK using the external key reference.
Rely on Google default encryption and enforce Bucket Lock to prevent key access by Google personnel.
Because the keys must remain in an on-premises HSM and administrators need the ability to make data inaccessible by disabling that external key, Cloud External Key Manager (EKM) is the correct choice. EKM allows Cloud Storage objects to be protected by a key that resides and is operated entirely outside Google's infrastructure; turning off or destroying the external key immediately renders the data unreadable (crypto-shredding).
Using CMEK with Cloud KMS software keys would store keys in Google-managed software, violating the "never leave" requirement. CMEK with Cloud HSM keeps keys inside Google-hosted HSMs, still outside the organization's premises. Relying on Google default encryption gives Google full control of the keys and provides no immediate crypto-shred capability to the customer.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
How does crypto-shredding work with EKM?
Open an interactive chat with Bash
What is the difference between CMEK and Cloud EKM?
Open an interactive chat with Bash
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
How does crypto-shredding work with Cloud External Key Manager?
Open an interactive chat with Bash
Why are CMEK options with Cloud KMS or Cloud HSM unsuitable in this case?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .