Google Cloud Professional Cloud Security Engineer — Question 240

You are implementing data protection by design and in accordance with GDPR requirements. As part of design reviews, you are told that you need to manage the encryption key for a solution that includes workloads for Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. Which option should you choose for this implementation?

Answer options

• A. Cloud External Key Manager
• B. Customer-managed encryption keys
• C. Customer-supplied encryption keys
• D. Google default encryption

Correct answer: A

Explanation

The correct choice is Cloud External Key Manager, as it allows for centralized management of encryption keys across multiple Google Cloud services, aligning with data protection principles. Customer-managed and customer-supplied encryption keys provide less centralized control and may not fully meet the requirements for managing keys at scale across diverse services. Google default encryption is not suitable for scenarios that necessitate strict key management compliance.