GCP Cloud Digital Leader Practice Question

Your organization wants assurance that its data will be encrypted at rest in Google Cloud without any manual setup. According to Google's default infrastructure protections, which statement accurately describes how this encryption is implemented?

Data at rest is encrypted only when customers enable customer-managed encryption keys (CMEK); otherwise it is stored in plaintext.
Only datasets that customers explicitly classify as sensitive are automatically encrypted; all other data remains unencrypted unless requested.
Google Cloud relies on third-party hardware appliances that customers must deploy in each project to apply encryption at rest.
Google Cloud encrypts all customer data at rest by default using AES-256, and wrapper keys are automatically rotated on a regular schedule.

Report Issue

Answer Description

Google Cloud automatically encrypts all customer content stored on Google-managed services, including Cloud Storage objects and persistent disks. Data chunks are encrypted with individual data-encryption keys using AES-256 or AES-128, and each of those keys is itself encrypted with regularly rotated key-encryption keys that are strictly managed by Google. This default, service-side envelope encryption is always on; customers do not need to deploy hardware, enable a setting, or supply their own keys unless they choose customer-managed or customer-supplied key features. Therefore, the correct choice is the statement that describes automatic, default encryption with key rotation handled by Google.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.