A healthcare provider runs a regional pipeline that exports HL7v2 messages to Pub/Sub, processes them in near-real time with Dataflow Streaming Engine, writes temporary files to a Cloud Storage bucket, and loads curated records into BigQuery. New compliance policy demands every persisted copy of the data-including transient shuffle or Streaming Engine state-be encrypted at rest with a customer-managed Cloud KMS key that security rotates. The team wants the simplest design that meets the rule. What should you recommend?
Keep the existing Dataflow job but add the --kmsKey flag and use a CMEK-protected Cloud Storage bucket for staging and temporary data.
Enable CMEK on the BigQuery dataset and configure Pub/Sub with a customer-managed key; rely on Dataflow's default at-rest encryption.
Re-implement the streaming transformation on a Dataproc cluster whose VM boot disks and all HDFS or Cloud Storage paths use the organization's CMEK.
Run the Dataflow job inside a VPC Service Controls perimeter and ensure TLS is used for Pub/Sub and BigQuery connections without changing at-rest encryption.
Dataflow supports customer-managed encryption keys only for worker VM disks and for Cloud Storage staging or temporary buckets. Its service-managed layers-shuffle and Streaming Engine state-remain encrypted with Google-managed keys, so the pipeline cannot guarantee CMEK coverage for every persisted byte. Re-implementing the streaming transformation on Dataproc lets you encrypt all VM boot disks and any HDFS or Cloud Storage locations with the organization's Cloud KMS key, satisfying the requirement. Merely adding --kmsKey to Dataflow, enabling CMEK on BigQuery or Pub/Sub, or enclosing the job in a VPC Service Controls perimeter leaves Dataflow's internal state encrypted with Google-managed keys and therefore non-compliant.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is CMEK and why is it important for encryption in GCP?
Open an interactive chat with Bash
What is HL7v2 and why is it used in healthcare pipelines?
Open an interactive chat with Bash
How does Dataproc differ from Dataflow for data processing in GCP?
Open an interactive chat with Bash
What is CMEK in GCP?
Open an interactive chat with Bash
What is the difference between Dataflow and Dataproc in GCP?
Open an interactive chat with Bash
Why is shuffle encryption in Dataflow not compliant with CMEK?
Open an interactive chat with Bash
GCP Professional Data Engineer
Ingesting and processing the data
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .