Google Cloud Professional Data Engineer — Question 86

You set up a streaming data insert into a Redis cluster via a Kafka cluster. Both clusters are running on Compute Engine instances. You need to encrypt data at rest with encryption keys that you can create, rotate, and destroy as needed. What should you do?

Answer options

• A. Create a dedicated service account, and use encryption at rest to reference your data stored in your Compute Engine cluster instances as part of your API service calls.
• B. Create encryption keys in Cloud Key Management Service. Use those keys to encrypt your data in all of the Compute Engine cluster instances.
• C. Create encryption keys locally. Upload your encryption keys to Cloud Key Management Service. Use those keys to encrypt your data in all of the Compute Engine cluster instances.
• D. Create encryption keys in Cloud Key Management Service. Reference those keys in your API service calls when accessing the data in your Compute Engine cluster instances.

Correct answer: B

Explanation

The correct answer is B because creating encryption keys in Cloud Key Management Service allows for effective management, including creation, rotation, and destruction of keys, which is essential for data security at rest. Option A does not ensure the management of encryption keys, C involves unnecessary local key generation, and D does not specify the encryption of data, limiting its effectiveness.