Google Cloud Professional Cloud Architect — Question 225

You are deploying a highly confidential data processing workload on Google Cloud. Your company’s compliance framework mandates that cryptographic keys used for encrypting data at rest must be generated and stored exclusively within a validated Hardware Security Module (HSM). You want to use a fully integrated Google Cloud managed service to handle the lifecycle and usage of these keys. What should you do?

Answer options

• A. Use Customer-Supplied Encryption Keys (CSEK) by providing your on-premises generated key with each API request.
• B. Import your on-premises HSM key material into a Cloud KMS key with the SOFTWARE protection level.
• C. Create a new key in Cloud Key Management Service (Cloud KMS) with the HSM protection level.
• D. Configure Cloud External Key Manager (Cloud EKM) to connect to your on-premises HSM.

Correct answer: C

Explanation

Option C is correct because creating a key in Cloud KMS with the HSM protection level ensures that the key is generated and managed within a validated HSM, meeting compliance requirements. Option A is incorrect as CSEK does not utilize an HSM for key management. Option B is wrong because importing a key with the SOFTWARE protection level does not satisfy the requirement for HSM storage. Option D is not suitable since it involves external key management rather than using Google Cloud's fully integrated service.