Exam Professional Cloud Security Engineer topic 1 question 219 discussion

A and E

Why Option A (Customer-Managed Encryption Keys) is Correct Control Over Keys: Customer-managed encryption keys (CMEK) allow you to manage the lifecycle of encryption keys, including rotation, revocation, and deletion, through Cloud Key Management Service (KMS). Integration with BigQuery, Cloud SQL, and Cloud Storage: CMEK is supported across BigQuery, Cloud Storage, and Cloud SQL, enabling encryption of data at rest with your managed keys. Compliance Support: CMEK satisfies the requirement to manage the full lifecycle of encryption keys.

Why not C?: KAJ focuses on managing access control for Google personnel to resources, not specifically on encryption key visibility.

Why not C?: KAJ focuses on managing access control for Google personnel to resources, not specifically on encryption key visibility.

CE seems good for me. If you want to be compliance with "Implement a separate key management provider from data management" you must have 2 providers and "B" CSEK couldn't work i think. "E" work for the both first policies. "C" seems good for the third policy.

C. Key Access Justifications Key Access Justifications can provide visibility into all encryption key requests, satisfying your third condition. This feature enables you to get justification for every request to use a decryption key, giving you the information you need to decide whether to approve or deny the request in real-time. E. Cloud External Key Manager The Cloud External Key Manager allows you to use and manage encryption keys stored outside of Google's infrastructure, thereby providing a separate key management provider from data management. This meets your first and second conditions because it enables you to fully manage the lifecycle of your cryptographic keys while storing them outside Google Cloud.

looks good to me

C - https://cloud.google.com/assured-workloads/key-access-justifications/docs/overview E - https://cloud.google.com/kms/docs/ekm

AE: https://cloud.google.com/kms/docs/cmek A: CMEK gives you control over the keys that protect your data at rest in Google Cloud. Using CMEK gives you control over more aspects of the lifecycle and management of your keys.

C,E - looks correct to me

I think this is BE. They mention that they want the data and the keys to be in separate locations. So that would mean CSEK. And that is handled by External Key Manager. So BE.

Implement a separate key management provider from data management - so the key must be outside of the GCP - E Provide visibility into all encryption key requests. - this can be supported by - C