Google Cloud Professional Cloud Security Engineer — Question 239

Your security team uses encryption keys to ensure confidentiality of user data. You want to establish a process to reduce the impact of a potentially compromised symmetric encryption key in Cloud Key Management Service (Cloud KMS).
Which steps should your team take before an incident occurs? (Choose two.)

Answer options

• A. Disable and revoke access to compromised keys.
• B. Enable automatic key version rotation on a regular schedule.
• C. Manually rotate key versions on an ad hoc schedule.
• D. Limit the number of messages encrypted with each key version.
• E. Disable the Cloud KMS API.

Correct answer: B, D

Explanation

Enabling automatic key version rotation (option B) helps ensure that keys are regularly updated, reducing the risk of a compromised key being used. Limiting the number of messages encrypted with each key version (option D) minimizes exposure if a key is compromised, as fewer messages would be at risk. The other options either address post-incident actions or do not provide a proactive solution.