ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your organization must store sensitive customer data in a public cloud object storage service. Regulations require that cloud provider personnel must never be able to decrypt that data, yet the security team still wants to leverage the provider's server-side encryption workflow and its built-in key-rotation automation. Which key management approach best satisfies these compliance and operational requirements?
Encrypt all objects client-side and store encryption keys exclusively on-premises, disabling server-side encryption.
Import and manage your own root keys inside the provider's KMS (Bring Your Own Key / customer-managed keys).
Use provider-managed encryption keys that are automatically created and controlled by the cloud service provider.
Rely on the provider's default object-level encryption that generates a unique key for each object without customer involvement.
Using customer-managed keys that you import into the cloud provider's key-management service-often called a Bring Your Own Key (BYOK) model-allows the organization to retain sole ownership of the root key material. Because the key originates and can be revoked or rotated solely by the customer, provider administrators cannot decrypt the protected data. At the same time, the imported key is stored in the provider's hardened KMS or HSM, enabling the cloud platform to perform transparent server-side encryption, automated key rotation of data-encryption keys (DEKs), and seamless integration with storage services. Relying on provider-managed or default keys leaves decryption authority with the provider, violating the requirement. Pure client-side encryption with locally held keys removes provider access but also forfeits server-side encryption features, which the scenario explicitly wants to keep.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Bring Your Own Key (BYOK)?
Open an interactive chat with Bash
How does server-side encryption with customer-managed keys work?
Open an interactive chat with Bash
What is key rotation and why is it important?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Concepts, Architecture and Design
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .