GCP Professional Data Engineer Practice Question

Your healthcare analytics team is building a Pub/Sub → Dataflow → BigQuery streaming pipeline. Dataflow writes temporary files to a Cloud Storage bucket. Because the stream carries PHI, security mandates: 1) customer-managed encryption keys, 2) keys must reside in a separate security project, 3) automatic key rotation must not disrupt processing, and 4) BigQuery results must be shareable across projects using authorized views. Which architecture meets all these requirements?

Use Google-managed encryption for Dataflow worker disks and the Cloud Storage bucket, enable CMEK only on BigQuery with automatic rotation, and grant the BigQuery service account access to the key for cross-project authorized view sharing.
Create a separate key ring in each data-processing project, apply CMEK only to BigQuery and Cloud Storage, and perform manual yearly key rotations that require regenerating and redeploying the Dataflow template with the new key version.
Create a Cloud KMS key ring in a dedicated security project, grant encrypt/decrypt access to the Dataflow, BigQuery, and Cloud Storage service accounts, enable the same CMEK on the BigQuery dataset, Dataflow worker resources, and the staging bucket, and configure automatic rotation on the key so new versions are picked up transparently while continuing to share results through authorized views.
Store a CMEK in the Dataflow project, enable the key on Dataflow and Cloud Storage, leave BigQuery encrypted with Google-managed keys, and schedule an Airflow job to export and re-encrypt tables after each rotation to satisfy PHI requirements.

Report Issue

Answer Description

Storing the CMEK in a dedicated security project enforces separation of duties between key management and data access. Granting the Cloud KMS CryptoKey Encrypter/Decrypter role to the Dataflow, BigQuery, and Cloud Storage service accounts lets each service use the same key without exposing it to pipeline users. Applying that CMEK to the BigQuery dataset, the staging bucket, and the Dataflow job ensures every location that stores PHI is protected. Because Cloud services reference the key rather than a specific version, automatic rotation promotes a new primary version transparently, so the streaming job continues without redeployment while new data is encrypted with the latest version and old data remains decryptable. BigQuery authorized views still function because encryption is handled by the service layer, so access controls-not decryption-determine what downstream projects can query. The alternative designs either require manual rotation, omit CMEK on some resources, or locate keys in the same projects as the data, violating stated policies.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.