A bank is migrating its 50-TB on-premises data warehouse to BigQuery. Regulations stipulate that encryption keys must be fully controlled and rotated by the bank rather than by Google. Data engineers need rights to create and query datasets but must never obtain direct access to the encryption keys themselves. Key rotation should occur automatically to minimize operational effort. Which approach best meets all of these requirements?
Deploy an on-premises hardware security module and integrate it with Cloud External Key Manager (EKM); schedule key rotations manually in the external KMS.
Before loading, encrypt the data on-premises with your own keys and store it in Cloud Storage; do not configure any BigQuery-side encryption.
Create a Cloud KMS key ring in a dedicated security project, protect BigQuery datasets with CMEK, grant the BigQuery service account the CryptoKey Encrypter/Decrypter role on the key, and enable automatic rotation on the key.
Use BigQuery's default Google-managed encryption and rely on Google's automatic key rotation.
Customer-Managed Encryption Keys (CMEK) in Cloud KMS let the customer own and control the keys while BigQuery uses them to encrypt data. Placing the key ring in a separate security project and granting only the BigQuery service account the Cloud KMS CryptoKey Encrypter/Decrypter role enforces separation of duties, so data engineers can query data without accessing the keys. Cloud KMS supports automated key rotation, eliminating manual overhead. Google-managed keys fail the ownership requirement; opting for default on-premises key management via Cloud External Key Manager increases operational complexity and may not provide automatic rotation; encrypting data client-side before load prevents use of native BigQuery CMEK and adds maintenance overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is CMEK in Google Cloud?
Open an interactive chat with Bash
How does automatic key rotation work in Cloud KMS?
Open an interactive chat with Bash
Why are BigQuery service accounts granted the Encrypter/Decrypter role in this setup?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .