Google Cloud Professional Cloud Security Engineer — Question 141

You are migrating an application into the cloud. The application will need to read data from a Cloud Storage bucket. Due to local regulatory requirements, you need to hold the key material used for encryption fully under your control and you require a valid rationale for accessing the key material.

What should you do?

Answer options

• A. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an IAM deny policy for unauthorized groups.
• B. Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket. Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.
• C. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.
• D. Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises. Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.

Correct answer: D

Explanation

The correct answer is D because it allows you to maintain complete control over the encryption key while using it as an external key in the Cloud Key Management Service (KMS). Option A does not provide full control of the key material since it relies on managed keys, while option B incorrectly suggests uploading the key to KMS, which contradicts the requirement for local control. Option C uses a Cloud HSM, which does not meet the requirement of having the key managed on-premises.