Google Cloud Professional Cloud Security Engineer — Question 78

You need to implement an encryption at-rest strategy that reduces key management complexity for non-sensitive data and protects sensitive data while providing the flexibility of controlling the key residency and rotation schedule. FIPS 140-2 L1 compliance is required for all data types. What should you do?

Answer options

• A. Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
• B. Encrypt non-sensitive data and sensitive data with Cloud Key Management Service
• C. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
• D. Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Correct answer: D

Explanation

The correct answer is D because it allows for the use of Google default encryption for non-sensitive data, which simplifies management, while utilizing Cloud Key Management Service for sensitive data ensures compliance and control over key management. Options A and C do not provide the required flexibility in key residency and rotation for sensitive data, and option B does not differentiate between sensitive and non-sensitive data management needs.