Google Cloud Professional Cloud Security Engineer — Question 278

You need to use Cloud External Key Manager to create an encryption key to encrypt specific BigQuery data at rest in Google Cloud. Which steps should you do first?

Answer options

• A. 1. Create or use an existing key with a unique uniform resource identifier (URI) in your Google Cloud project. 2. Grant your Google Cloud project access to a supported external key management partner system.
• B. 1. Create or use an existing key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.
• C. 1. Create or use an existing key with a unique uniform resource identifier (URI) in a supported external key management partner system. 2. In the external key management partner system, grant access for this key to use your Google Cloud project.
• D. 1. Create an external key with a unique uniform resource identifier (URI) in Cloud Key Management Service (Cloud KMS). 2. In Cloud KMS, grant your Google Cloud project access to use the key.

Correct answer: C

Explanation

The correct answer is C because it specifies creating a key in a supported external key management partner system, which is essential for using Cloud External Key Manager. Options A and B incorrectly suggest using Google Cloud directly, which does not align with the requirement for external key management. Option D incorrectly states that the key should be created in Cloud KMS instead of an external system.