Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Architect All Questions

View all questions & answers for the Professional Cloud Architect exam
Go to Exam

Exam Professional Cloud Architect topic 1 question 148 discussion

Actual exam question from Google's Professional Cloud Architect
Question #: 148
Topic #: 1
[All Professional Cloud Architect Questions]

You are designing a Data Warehouse on Google Cloud and want to store sensitive data in BigQuery. Your company requires you to generate the encryption keys outside of Google Cloud. You need to implement a solution. What should you do?

  • A. Generate a new key in Cloud Key Management Service (Cloud KMS). Store all data in Cloud Storage using the customer-managed key option and select the created key. Set up a Dataflow pipeline to decrypt the data and to store it in a new BigQuery dataset.
  • B. Generate a new key in Cloud KMS. Create a dataset in BigQuery using the customer-managed key option and select the created key.
  • C. Import a key in Cloud KMS. Store all data in Cloud Storage using the customer-managed key option and select the created key. Set up a Dataflow pipeline to decrypt the data and to store it in a new BigQuery dataset.
  • D. Import a key in Cloud KMS. Create a dataset in BigQuery using the customer-supplied key option and select the created key.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by SweetieS at Aug. 24, 2021, 5:15 a.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
alexandercamachop
Highly Voted 2 years, 2 months ago
Selected Answer: D
The answer is easy. It says keys must be left outside of Google Cloud. This automatically eliminates A / B. Now the C option says decrypts before storing it in BigQuery which the point is to encrypt the data while been in BigQuery, D is the only possible answer.
upvoted 17 times
Sephethus
5 months, 1 week ago
Except that BigQuery doesn't support customer supplied keys outside of GCP.
upvoted 2 times
...
...
SweetieS
Highly Voted 3 years, 3 months ago
D is OK
upvoted 17 times
SR23222
1 year, 5 months ago
But CSEK is not supported in BigQuery
upvoted 2 times
[Removed]
1 year, 3 months ago
It is a tricky distinction because of the term collision. However, "import key to KMS" does not mean CSEK. CSEK does not get imported or stored in KMS at all. CSEK "customer supplied" is per-transaction uploaded by every API call by the user/client (no KMS). This situation "customer supplied" means created from non-GCP KMS (could be on-prem or EKM). Once a key is imported to KMS it is treated as CMEK. The API client calling GCS doesn't need to upload the key. It lives in KMS. That is not the same "per-transaction" upload as CSEK.
upvoted 2 times
[Removed]
1 year, 3 months ago
I mean after being imported to KMS you key is handled like a CMEK and available to BQ service.
upvoted 1 times
...
...
...
...
25lion52
Most Recent 1 month, 3 weeks ago
Selected Answer: D
C - won't encrypt data in BQ with customer key. A,B - you will generate key inside the GCP (what is also wrong by requirements) D - looks good, but say to select CSEK... but after importing the key to KMS it becomes a customer-managed. I would select the D
upvoted 1 times
...
Sephethus
5 months, 1 week ago
Selected Answer: B
The answer cannot be D since BigQuery does not support customer provided keys, only customer managed keys generated in Cloud KMS. So B is the only viable option that doesn't add complexity.
upvoted 1 times
...
Sephethus
5 months, 1 week ago
It cannot be D, BigQuery does not support customer supplied KMS keys, only customer managed keys, B.
upvoted 1 times
...
odacir
1 year ago
Selected Answer: D
https://cloud.google.com/bigquery/docs/customer-managed-encryption
upvoted 1 times
...
thewalker
1 year ago
A, B, C are ruled out as they say Customer Managed keys. Hence, D.
upvoted 2 times
...
devnul
1 year, 3 months ago
GCP docu says "BigQuery and BigLake tables don't support Customer-Supplied Encryption Keys (CSEK)." However, I just tested it and it worked: 1. Create Key openssl rand 32 > ./key2 2. Import into KMS gcloud kms keys versions import --import-job csek1 --location us-west1 --keyring csek --key csek --algorithm google-symmetric-encryption --target-key-file ./key2 3. In Cloud Console: select the key when creating a new data set and table in BigQuery
upvoted 4 times
[Removed]
1 year, 3 months ago
Right, term collision with "customer supplied" key. However, "import key to KMS" does not mean CSEK.
upvoted 2 times
...
...
jits1984
1 year, 7 months ago
Selected Answer: C
C - as BigQuery doesn't support Customer Supplier Keys.
upvoted 2 times
...
n_nana
1 year, 8 months ago
Selected Answer: C
BigQuery doesn't support CSEK
upvoted 1 times
medi01
1 year, 7 months ago
BG DOES support CSEK.
upvoted 1 times
...
n_nana
1 year, 8 months ago
Sorry even C is not correct, why to store the data in bq without encryption. data should be passed encrypted from storage to bq. then Answer is B
upvoted 1 times
A21325412
1 year ago
I would go with C. https://cloud.google.com/bigquery/docs/customer-managed-encryption Read that document in the link carefully. 1st paragraph: "By Default, BigQuery encrypts your content stored at rest"; 1st bullet point, 2nd paragraph under the [Before you Begin] section: "BigQuery and BigLake tables don't support Customer-Supplied Encryption Keys (CSEK)" There is also a difference between CMEK and CSEK. CMEK: you can create and manage a key using Cloud KMS; CSEK: you specify the contents of the key; Ref for CMEK vs CSEK: https://cloud.google.com/sql/docs/mysql/cmek#:~:text=Note%3A%20Customer%2Dmanaged%20encryption%20keys,specific%20resources%20across%20Google%20Cloud.
upvoted 1 times
A21325412
1 year ago
Even though I'll chose C for the answer over D, because of the terminology in "BQ using customer-supplied key", I have an issue with this: To me it does not make any sense. The data is being encrypted by some key say K1 to store in Cloud Storage, then Decrypted, to be Re-Encrypted (automatically by say K2 [a google created key]) by BigQuery when being stored. This negates the use of K1 on your Data Storage in BigQuery. It makes no sense. If someone sees this differently, I'd love to hear it. Thanks.
upvoted 1 times
...
...
...
nandoD
1 year, 6 months ago
If you want to control encryption yourself, you can use customer-managed encryption keys (CMEK) for BigQuery. https://cloud.google.com/bigquery/docs/customer-managed-encryption
upvoted 1 times
SR23222
1 year, 5 months ago
There is a difference between customer managed and customer supplied. Link that you have shared talks about customer managed and not customer supplied
upvoted 1 times
...
...
...
AugustoKras011111
1 year, 8 months ago
Selected Answer: D
Key work: "keys outside of Google Cloud" so you have to import the key. between C and D I go with D.
upvoted 1 times
...
smachnio
1 year, 10 months ago
Selected Answer: D
D is correct. I had this question on the exam toaday and I go with D. Explanation is - Generate the key outside the GCP so C and D are correct. "Set up a Dataflow pipeline to decrypt the data and to store it in a new BigQuery dataset" is not correct becuase it means that data exist on GCP what is not correct. Only D is correct.
upvoted 2 times
...
examch
1 year, 10 months ago
Selected Answer: C
Yes, BigQuery and BigLake tables don't support Customer-Supplied Encryption Keys (CSEK). Answer must be either A or C, since the say generate key outside Google Cloud, import the key, hence I go for the answer C. https://cloud.google.com/bigquery/docs/customer-managed-encryption#before_you_begin https://cloud.google.com/kms/docs/importing-a-key
upvoted 2 times
...
NodummyIQ
1 year, 10 months ago
Answer D is incorrect because BigQuery does not support the use of customer-supplied keys to encrypt data at rest. Instead, you can use customer-managed encryption keys in Cloud KMS to encrypt the data in BigQuery. To do this, you can either generate a new key in Cloud KMS (answer A) or import an existing key (answer C). Once you have a key in Cloud KMS, you can create a BigQuery dataset and select the key as the customer-managed key for the dataset. This will enable BigQuery to use the key to encrypt the data in the dataset.
upvoted 4 times
examch
1 year, 10 months ago
Yes, BigQuery and BigLake tables don't support Customer-Supplied Encryption Keys (CSEK). Answer must be either A or C, since the say generate key outside Google Cloud, import the key, hence I go for the answer C.
upvoted 1 times
examch
1 year, 10 months ago
https://cloud.google.com/bigquery/docs/customer-managed-encryption#before_you_begin
upvoted 1 times
examch
1 year, 10 months ago
https://cloud.google.com/kms/docs/importing-a-key
upvoted 2 times
...
...
...
[Removed]
1 year, 3 months ago
You have to know the difference between CSEK and "imported keys to KMS". Those are not the same things. CSEK is never stored in KMS, obviously an imported key is. It is then as available as any CMEK to BQ.
upvoted 1 times
...
...
surajkrishnamurthy
1 year, 11 months ago
Selected Answer: D
Correct answer is D
upvoted 1 times
...
ale_brd_111
1 year, 11 months ago
Selected Answer: D
answer is D https://cloud.google.com/bigquery/docs/customer-managed-encryption
upvoted 1 times
...
tomahawk003
1 year, 11 months ago
Answer D. Questions says "...design data warehouse..." - would prefer BigQuery
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel