Google Cloud Professional Cloud Security Engineer — Question 68

A customer wants to move their sensitive workloads to a Compute Engine-based cluster using Managed Instance Groups (MIGs). The jobs are bursty and must be completed quickly. They have a requirement to be able to control the key lifecycle.
Which boot disk encryption solution should you use on the cluster to meet this customer's requirements?

Answer options

• A. Customer-supplied encryption keys (CSEK)
• B. Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
• C. Encryption by default
• D. Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis

Correct answer: B

Explanation

The correct answer is B, as Customer-managed encryption keys (CMEK) allow the customer to control the encryption keys' lifecycle while still leveraging Google Cloud's infrastructure. Option A, Customer-supplied encryption keys (CSEK), does not offer the same level of lifecycle management as CMEK. Options C and D do not provide the necessary control over key management required by the customer for their sensitive workloads.