GCP Professional Cloud Security Engineer Practice Question

Your security team uses a single symmetric key in Cloud KMS as the customer-managed encryption key (CMEK) for both a Cloud Storage bucket that holds seven years of audit logs and a BigQuery dataset that contains the same logs for analytics. When the legally mandated retention period ends, the team must ensure the encrypted objects and tables become permanently unreadable, while keeping the bucket and dataset metadata for audit purposes. They want a one-time, deterministic action that meets this "crypto-shredding" requirement with minimal operational effort. What should they do?

Schedule destruction of the specific CMEK key version in Cloud KMS once the seven-year period ends.
Create lifecycle rules that delete the objects and tables after seven years so the CMEK is no longer referenced.
Rotate the CMEK annually and rely on automatic retirement of old key versions after seven years.
Delete IAM roles that grant the storage and BigQuery service accounts access to the CMEK after seven years.

Report Issue

Answer Description

In Google Cloud, data protected by a CMEK remains encrypted but readable as long as the key version used for encryption is enabled. Disabling the version only suspends access and can be reversed. Scheduling or executing DestroyCryptoKeyVersion on that version permanently removes the key material after the mandatory waiting period; once destroyed, any Cloud Storage objects or BigQuery tables encrypted with it can never be decrypted, yet the resources themselves continue to exist for auditing. Object lifecycle policies, IAM permission changes, or key rotation do not satisfy an irreversible crypto-shred requirement because data can still be decrypted by reenabling the key or through newer key versions.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.