Google Cloud Professional Cloud Security Engineer — Question 172

You must ensure that the keys used for at-rest encryption of your data are compliant with your organization's security controls. One security control mandates that keys get rotated every 90 days. You must implement an effective detection strategy to validate if keys are rotated as required. What should you do?

Answer options

• A. Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.
• B. Assess the keys in the Cloud Key Management Service by implementing code in Cloud Run. If a key is not rotated after 90 days, raise a finding in Security Command Center.
• C. Define a metric that checks for timely key updates by using Cloud Logging. If a key is not rotated after 90 days, send an alert message through your incident notification channel.
• D. Identify keys that have not been rotated by using Security Health Analytics. If a key is not rotated after 90 days, a finding in Security Command Center is raised.

Correct answer: D

Explanation

The correct answer is D because it directly utilizes Security Health Analytics to identify keys that have not been rotated in accordance with the 90-day policy, leading to actionable findings in Security Command Center. Options A, B, and C do not specifically address the requirement to use Security Health Analytics or do not provide a direct mechanism to raise findings in Security Command Center.