GCP Professional Cloud Security Engineer Practice Question
Your organization stores raw data in a Cloud Storage bucket in europe-west3 and ingests it into a BigQuery dataset in the EU multi-region. Audit logs will be archived daily and signed with an asymmetric key. Policy requires that CMEK keys reside in the same Google Cloud location as the data whenever possible, with the fewest key rings. Which design meets these constraints?
Create two key rings: one in eu with a symmetric key for BigQuery, and one in europe-west3 with a symmetric key for Cloud Storage. Add an asymmetric RSA-2048 signing key in either ring.
Create three key rings: europe-west3, eu, and global. Place a symmetric key for each workload in its own ring and the signing key in the global ring.
Create one key ring in the eu multi-region containing two symmetric encryption keys for Cloud Storage and BigQuery, plus an asymmetric RSA signing key.
Create one key ring in europe-west3 containing a single symmetric encryption key shared by Cloud Storage and BigQuery, plus an asymmetric signing key.
Although Cloud Storage can consume a CMEK key from any Cloud KMS location, the internal policy requires using a key in the same region when that option exists, so the bucket's key is placed in europe-west3. BigQuery enforces that a dataset in the EU multi-region can only be protected by a key that also resides in the EU multi-region, so a second key ring there is compulsory. Because key rings are location-scoped, two key rings-eu and europe-west3-satisfy both Google Cloud's service constraints and the policy while minimizing operational overhead. The asymmetric RSA signing key is not tied to any service-managed data location, so hosting it in either of the existing rings complies with the policy without creating an additional ring. A single key ring would break either the BigQuery restriction or the organizational policy, while three key rings introduce unnecessary management effort.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CMEK key in Google Cloud?
Open an interactive chat with Bash
Why do BigQuery datasets in the EU multi-region require CMEK keys in the same location?
Open an interactive chat with Bash
What is an asymmetric RSA signing key and how is it used?
Open an interactive chat with Bash
What is CMEK and its importance in Google Cloud services?
Open an interactive chat with Bash
Why does BigQuery enforce that datasets in the EU multi-region be protected by a key in the same region?
Open an interactive chat with Bash
What is an RSA signing key, and why is it used for archiving audit logs?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .