Your company requires that all data stored in Cloud Storage be encrypted using keys managed by your security team. The security team wants to automatically rotate the keys every 90 days. Which encryption method should you use?

Answer options:

Google-Managed Encryption Keys.

Customer-Supplied Encryption Keys (CSEK).

Customer-Managed Encryption Keys (CMEK) using Cloud KMS.

Client-side encryption.

How to approach this question

Differentiate between Google-managed, Customer-managed (CMEK), and Customer-supplied (CSEK) keys.

Full Answer

C.Customer-Managed Encryption Keys (CMEK) using Cloud KMS.✓ Correct

Customer-Managed Encryption Keys (CMEK) via Cloud KMS is the standard solution when a company needs control over key management (rotation, disabling, auditing) but wants GCP services (like Cloud Storage) to handle the actual encryption/decryption process seamlessly. Cloud KMS supports automatic key rotation.

Common mistakes

Confusing CMEK (keys live in GCP KMS) with CSEK (keys live on-prem and are sent with every API request).

Question 37 All questions Question 39

Practice the full GCP Professional Cloud Architect Practice Exam 1

50 questions · hints · full answers · grading

More questions from this exam

Q01**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...Hard Q02**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...Medium Q03**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...Hard Q04**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...Medium Q05**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...Medium

View all 50 questions →