A financial services company ingests transaction files into a Cloud Storage bucket, processes them with Dataflow, and loads the results into a BigQuery dataset-all located in europe-west1. Security policy states:
Google must not manage the encryption keys; the company has to control key rotation and disablement.
Every cryptographic key access must be captured in Cloud Logging and forwarded to the corporate SIEM.
Changing or rotating keys must not require any code changes in the existing Dataflow pipelines.
Which key-management approach best satisfies these requirements?
Create a Cloud KMS key ring in europe-west1 and enable customer-managed encryption keys (CMEK) for the Cloud Storage bucket, the Dataflow job, and the BigQuery dataset; export Cloud Audit Logs to the SIEM.
Configure customer-supplied encryption keys (CSEK) for the Cloud Storage bucket and pass the key in every Dataflow and BigQuery API call, rotating it manually when required.
Rely on Google-managed encryption keys for all services and enable Access Transparency logs to track Google personnel access.
Use Cloud External Key Manager (EKM) with keys stored in an on-premises HSM and attach the external key to Cloud Storage and BigQuery; leave Dataflow on default encryption.
Customer-managed encryption keys (CMEK) stored in Cloud KMS let the customer create, rotate, disable, and destroy the keys that protect data in BigQuery, Cloud Storage, and the Dataflow workers' persistent disks. All encrypt/decrypt operations against a CMEK key are automatically written to Cloud Audit Logs, which can be exported to an external SIEM. Because CMEK is enabled at the resource level (bucket, dataset, Dataflow job) rather than passed in API calls, pipelines continue to run unchanged after key rotation. Customer-supplied encryption keys require applications to transmit the raw key material on every request, so rotating keys demands code or configuration changes and does not generate automatic Cloud KMS audit logs. Google-managed keys violate the requirement that Google not manage the keys, and Cloud External Key Manager is not yet supported by Dataflow, so it cannot cover the entire pipeline.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is CMEK in Cloud KMS?
Open an interactive chat with Bash
How does exporting Cloud Audit Logs to a corporate SIEM improve security?
Open an interactive chat with Bash
Why is Cloud External Key Manager (EKM) not suitable for the described use case?
Open an interactive chat with Bash
What are CMEK and why are they useful?
Open an interactive chat with Bash
How does CMEK differ from CSEK?
Open an interactive chat with Bash
What are Cloud Audit Logs and how do they enhance security?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .