Google Cloud Professional Cloud Security Engineer — Question 285

You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:
✑ The master key must be rotated at least once every 45 days.
✑ The solution that stores the master key must be FIPS 140-2 Level 3 validated.
✑ The master key must be stored in multiple regions within the US for redundancy.
Which solution meets these requirements?

Answer options

• A. Customer-managed encryption keys with Cloud Key Management Service
• B. Customer-managed encryption keys with Cloud HSM
• C. Customer-supplied encryption keys
• D. Google-managed encryption keys

Correct answer: B

Explanation

The correct answer is B, as Customer-managed encryption keys with Cloud HSM meets all specified requirements, including FIPS 140-2 Level 3 validation and support for key rotation and regional redundancy. Option A does not meet the FIPS validation requirement, while C does not provide the necessary management features, and D does not allow for customer control over key management.