Google Cloud Professional Cloud Security Engineer — Question 232

You need to implement an encryption-at-rest strategy that protects sensitive data and reduces key management complexity for non-sensitive data. Your solution has the following requirements:
✑ Schedule key rotation for sensitive data.
✑ Control which region the encryption keys for sensitive data are stored in.
✑ Minimize the latency to access encryption keys for both sensitive and non-sensitive data.
What should you do?

Answer options

• A. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
• B. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service.
• C. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
• D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Correct answer: D

Explanation

The correct choice is D because it allows for the use of Google default encryption, which simplifies management for non-sensitive data, while using Cloud Key Management Service for sensitive data meets the requirements for key rotation and region control. Options A and B do not adequately address the need for key rotation and specific key storage requirements, while option C does not utilize the more secure Cloud Key Management Service for sensitive data.