Your organization is building its first Google Cloud analytics pipeline. A Dataflow job writes intermediate files to a regional Cloud Storage bucket and streams cleaned records into a BigQuery dataset. No Cloud KMS keys or additional network controls have been configured. The security lead asks whether data will still be encrypted as it moves through the pipeline and when it is stored. What must you do to guarantee encryption of the data at rest and in transit?
Nothing: Google Cloud automatically encrypts data in transit between services and at rest in Cloud Storage and BigQuery using Google-managed keys.
Configure customer-supplied encryption keys (CSEK) on the Cloud Storage bucket because Google's default encryption protects only object metadata, not object contents.
Enable TLS on the Dataflow job and upload custom SSL certificates so that traffic between Dataflow workers, Cloud Storage, and BigQuery is encrypted.
Create a Cloud KMS key and enable CMEK for both the bucket and the dataset; otherwise the data stored by Dataflow remains unencrypted at rest.
Google Cloud automatically encrypts all customer data before it is written to disk in services such as Cloud Storage and BigQuery, using Google-managed AES-256 keys. In addition, traffic between Google Cloud services-including Dataflow workers communicating with Cloud Storage and BigQuery-is protected with TLS by default. Because both at-rest and in-transit encryption are provided out of the box, no extra configuration is required to satisfy the stated security requirement. Enabling CMEK or CSEK, uploading custom certificates, or modifying bucket access settings can provide additional control but is not necessary simply to ensure encryption; default encryption already covers the full data payload, not just metadata.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between CMEK and CSEK in Google Cloud?
Open an interactive chat with Bash
How does Google Cloud encrypt data at rest and in transit?
Open an interactive chat with Bash
What role does TLS play in securing communication between Google Cloud services?
Open an interactive chat with Bash
What is the difference between Google's managed encryption and customer-managed encryption keys (CMEK)?
Open an interactive chat with Bash
How does Google Cloud protect data in transit between services?
Open an interactive chat with Bash
What are the benefits of enabling customer-supplied encryption keys (CSEK) if Google's default encryption is sufficient?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .