A financial-services company must store sensitive PII in BigQuery while retaining full control over the encryption keys. Compliance rules state that keys must reside in the europe-west2 region, rotate every 90 days, and be usable only by BigQuery; analytics engineers may query the data but must not have direct access to decrypt it. The company also wants to avoid passing an encryption key reference in every query job. Which design best meets these requirements with the least operational overhead?
Enable default Google-managed encryption and restrict PII access with BigQuery IAM roles; no customer keys are required.
Adopt customer-supplied encryption keys (CSEK) so that engineers supply the key in every BigQuery job request, ensuring the key never resides in Google Cloud.
Create datasets in europe-west2 and set a dataset-level default CMEK from a europe-west2 keyring; grant the project's BigQuery service agent the CryptoKey Encrypter/Decrypter role and configure a 90-day automatic rotation schedule on the key.
Stage data in a CMEK-protected Cloud Storage bucket and query it through BigQuery external tables, relying on inherited bucket permissions instead of granting the BigQuery service agent access to the key.
Configuring a default customer-managed encryption key (CMEK) on the BigQuery dataset meets all listed requirements. The KMS key and the dataset must share the same region, so a europe-west2 keyring is appropriate. Granting the BigQuery service agent the Cloud KMS CryptoKey Encrypter/Decrypter role lets BigQuery use the key while preventing users from accessing it directly. Cloud KMS can be set to rotate the key automatically every 90 days, and once the dataset default key is set, BigQuery applies it without requiring the client to include the key on each job. The other options fail: default Google-managed encryption does not satisfy the control requirement; customer-supplied keys demand the key with every request and expose it to users; and external tables in Cloud Storage would still need the service agent's KMS permissions and add unnecessary complexity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Customer-Managed Encryption Key (CMEK) in GCP?
Open an interactive chat with Bash
How does granting BigQuery service agent the CryptoKey Encrypter/Decrypter role secure PII in BigQuery?
Open an interactive chat with Bash
What are the advantages of automatic rotation of encryption keys in Cloud KMS?
Open an interactive chat with Bash
What is a CMEK and how is it different from default Google-managed encryption in BigQuery?
Open an interactive chat with Bash
What role does the BigQuery service agent play in the CMEK-based encryption setup?
Open an interactive chat with Bash
How does automatic key rotation work in Cloud KMS, and why is it recommended?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .