GCP Professional Cloud Security Engineer Practice Question
Your security team is reviewing how telemetry data from thousands of warehouse temperature sensors will be ingested into Cloud Storage and queried from BigQuery. The dataset contains no customer or employee identifiers and is subject only to the company's general data-handling policy, which mandates encryption at rest but does not impose any key custody or key-location requirements. The team wants the simplest, lowest-cost approach that still satisfies the policy. Which encryption option should you recommend?
Require every sensor gateway to include a customer-supplied encryption key (CSEK) with each upload so Cloud Storage encrypts the data using that key on the server side.
Rely on Google-managed default encryption, which automatically encrypts all Cloud Storage objects and BigQuery tables at rest without any extra configuration.
Use Cloud External Key Manager (EKM) so the encryption key is generated and stored in a third-party Hardware Security Module outside Google Cloud.
Configure Customer-Managed Encryption Keys (CMEK) by creating a symmetric key in Cloud KMS and specifying it for the relevant buckets and datasets.
Because the organization has no requirement to control or externally store encryption keys, relying on Google-managed default encryption is the most straightforward and economical solution. Google automatically encrypts all data written to Cloud Storage objects and BigQuery tables at rest using AES-256 keys that it manages and rotates. Configuring Customer-Managed Encryption Keys (CMEK) or Cloud External Key Manager (EKM) would meet the requirement but introduce additional operational overhead and costs for key creation, rotation, and availability. Using customer-supplied encryption keys (CSEK) would likewise add complexity because each read and write request must include the base64-encoded key material and key hash, and Google cannot manage or recover the key if it is lost. Therefore, default Google-managed encryption is the recommended choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Google-managed default encryption?
Open an interactive chat with Bash
What is the difference between CMEK and Google-managed encryption?
Open an interactive chat with Bash
When should you use Cloud External Key Manager (EKM)?
Open an interactive chat with Bash
What is Google-managed default encryption for Cloud Storage and BigQuery?
Open an interactive chat with Bash
What is the difference between Customer-Managed Encryption Keys (CMEK) and Google-managed encryption?
Open an interactive chat with Bash
When should external encryption options like Cloud External Key Manager (EKM) be used?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .