GCP Professional Cloud Security Engineer Practice Question
Your security team is designing an analytics workload that stores regulated customer data in BigQuery datasets located in europe-west2. Internal policy requires that encryption keys be generated and held exclusively in the company's on-premises HSM; the key material must never reside inside Google-controlled systems. Rotation must remain entirely under the company's control, and the application code should not need changes when a new key version is introduced. Which key-management approach best meets these requirements?
Provision an HSM-backed key ring in Cloud HSM, rotate the key in Cloud KMS, and configure BigQuery to use the HSM key as its CMEK.
Use customer-supplied encryption keys (CSEK) by passing the plaintext key with every BigQuery load and query job, updating the key parameter whenever rotation is required.
Set up Cloud External Key Manager, create the encryption key in the on-premises HSM, create an external key version in Cloud KMS that references it, and point BigQuery to that external key; perform future rotations only in the on-prem HSM.
Create a symmetric software key in a Cloud KMS key ring in europe-west2, enable automatic rotation every 90 days, and set that key as the BigQuery CMEK.
Cloud External Key Manager (EKM) lets you create and store the cryptographic key in an external HSM or key-management product that you operate, while Cloud KMS only keeps a reference (key URI) to that external key. Because the plaintext key never enters Google's infrastructure, custody requirements are satisfied. Key rotation is performed by generating a new version in the on-prem HSM and attaching that version to the existing CryptoKey in Cloud KMS, so workloads such as BigQuery continue to use the new key automatically with no code changes. Software or HSM-backed CMEK keys stored in Cloud KMS would place the key material under Google's control, and BigQuery does not support customer-supplied (CSEK) per-job keys. Therefore, configuring EKM with an external key and linking it to BigQuery is the only option that fulfills all constraints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud External Key Manager (EKM) in GCP?
Open an interactive chat with Bash
How does key rotation work with Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
What is the difference between Cloud KMS and Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
What is Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
Why can't software or HSM-backed CMEK keys in Cloud KMS meet the security team's requirement?
Open an interactive chat with Bash
How does key rotation work with Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .