Your organization is migrating sensitive data to Cloud Storage. The security team dictates that Google must not manage the encryption keys, but they also do not want the operational burden of maintaining their own highly available key servers on-premises. Which TWO actions should you take? (Select TWO)

Answer options:

Use Customer-Managed Encryption Keys (CMEK)

Use Customer-Supplied Encryption Keys (CSEK)

Create a Key Ring and Key in Cloud KMS

Use Google-Managed Encryption Keys (GMEK)

Encrypt the data locally using a Python script before uploading

How to approach this question

Identify the encryption method that provides control without infrastructure overhead.

Full Answer

Customer-Managed Encryption Keys (CMEK) strike the balance between control and operational overhead. The keys are generated and stored in Google's Cloud Key Management Service (Cloud KMS), so Google handles the high availability. However, the customer retains full cryptographic control over the keys.

Common mistakes

Choosing CSEK (B), which forces the customer to build their own key servers.

Question 47 All questions Question 49

Practice the full GCP Professional Cloud Architect Practice Exam 5

50 questions · hints · full answers · grading

More questions from this exam

Q01CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Hard Q02CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Medium Q03CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Medium Q04CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Medium Q05CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Easy

View all 50 questions →