You are building a Dataflow streaming pipeline that writes to a BigQuery dataset containing sensitive health data. Compliance mandates that data at rest be encrypted with customer-managed keys stored in us-central1, that the key rotate every 90 days without downtime, and that the security team can quickly block the pipeline from decrypting data if a breach is suspected. Which solution best satisfies these requirements?
Rely on Google-managed default encryption for BigQuery and restrict Dataflow workers with VPC Service Controls; accept Google's automatic, silent key rotation.
Create a Cloud KMS key ring in us-central1 and enable automatic key rotation every 90 days. Encrypt the BigQuery dataset with this CMEK and grant the BigQuery service account the CryptoKey Encrypter/Decrypter role; security can revoke this role to stop decryption if needed.
Use client-side encryption by supplying a customer-supplied key (CSEK) to each Dataflow job. Rotate the key by generating a new value and rewriting all existing BigQuery data.
Store an AES-256 key in an on-premises HSM and have Dataflow workers download it through environment variables; rotate by updating the configuration file that contains the key reference.
Cloud KMS-backed customer-managed encryption keys (CMEK) let you control encryption for BigQuery while keeping the key material in a regional key ring such as us-central1. You can configure automatic rotation-for example, every 90 days-which creates a new key version and marks it primary; BigQuery immediately begins using the new version with no disruption to the Dataflow pipeline. To let BigQuery encrypt and decrypt data, grant the BigQuery service account (service-@gcp-sa-bigquery.iam.gserviceaccount.com) the Cloud KMS CryptoKey Encrypter/Decrypter role on the key. If a breach is suspected, security can quickly block decryption by revoking that role from the service account (disabling the key alone would not immediately stop decryption because existing permissions are still cached). Client-side encryption with customer-supplied keys would require manual data rewriting on rotation, Google-managed keys would not meet the customer-managed requirement, and storing keys on-premises would forgo KMS rotation and access-control capabilities.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud KMS, and how does it help in managing encryption keys?
Open an interactive chat with Bash
What is CMEK, and why is it preferred over Google-managed encryption for sensitive data?
Open an interactive chat with Bash
How does automatic key rotation work in Cloud KMS, and why is it important?
Open an interactive chat with Bash
What is Cloud KMS and how does it manage encryption keys?
Open an interactive chat with Bash
How does granting the CryptoKey Encrypter/Decrypter role work and why is it significant?
Open an interactive chat with Bash
What happens during automatic key rotation in Cloud KMS, and why is it beneficial?
Open an interactive chat with Bash
GCP Professional Data Engineer
Ingesting and processing the data
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .