ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Security Engineer All Questions

View all questions & answers for the Professional Cloud Security Engineer exam
Go to Exam

Exam Professional Cloud Security Engineer topic 1 question 173 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 173
Topic #: 1
[All Professional Cloud Security Engineer Questions]

You are working with a client who plans to migrate their data to Google Cloud. You are responsible for recommending an encryption service to manage their encrypted keys. You have the following requirements:
✑ The master key must be rotated at least once every 45 days.
✑ The solution that stores the master key must be FIPS 140-2 Level 3 validated.
✑ The master key must be stored in multiple regions within the US for redundancy.
Which solution meets these requirements?

  • A. Customer-managed encryption keys with Cloud Key Management Service
  • B. Customer-managed encryption keys with Cloud HSM
  • C. Customer-supplied encryption keys
  • D. Google-managed encryption keys
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Baburao at Sept. 3, 2022, 7:15 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
shetniel
Highly Voted 1 year, 1 month ago
Selected Answer: B
The only 2 options that satisfy FIPS 140-2 Level 3 requirement are Cloud HSM or Cloud EKM. https://cloud.google.com/kms/docs/key-management-service#choose
upvoted 10 times
...
AwesomeGCP
Highly Voted 1 year, 6 months ago
Selected Answer: B
B. Customer-managed encryption keys with Cloud HSM
upvoted 7 times
...
KLei
Most Recent 4 months, 1 week ago
Selected Answer: B
Cloud HSM helps you enforce regulatory compliance for your workloads in Google Cloud. With Cloud HSM, you can generate encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 validated HSMs.
upvoted 1 times
...
Xoxoo
7 months, 1 week ago
Selected Answer: B
To meet the given requirements, you should recommend using Customer-managed encryption keys with Cloud HSM. This solution allows you to manage your own encryption keys while leveraging the Google Cloud Hardware Security Module (HSM) service, which is FIPS 140-2 Level 3 validated. With Cloud HSM, you can rotate the master key at least once every 45 days and store it in multiple regions within the US for redundancy. While Customer-managed encryption keys with Cloud Key Management Service (KMS) (option A) is a valid choice for managing encryption keys, it does not provide the FIPS 140-2 Level 3 validation required by the given requirements. Customer-supplied encryption keys (option C) are not suitable for this scenario as they do not offer the same level of control and security as customer-managed keys. Google-managed encryption keys (option D) would not meet the requirement of having a solution that stores the master key validated at FIPS 140-2 Level 3.
upvoted 6 times
...
cyberpunk21
8 months, 1 week ago
Selected Answer: B
In all options only HMS have L3 validation
upvoted 1 times
...
TonytheTiger
1 year, 5 months ago
Answer: B https://cloud.google.com/docs/security/cloud-hsm-architecture
upvoted 2 times
...
Littleivy
1 year, 5 months ago
Selected Answer: B
Cloud HSM is right answer
upvoted 4 times
...
AzureDP900
1 year, 5 months ago
Cloud HSM is right answer is B
upvoted 2 times
...
soltium
1 year, 6 months ago
B.Cloud HSM can be rotated automatically(same front end as KMS), FIPS 140-2 level 3 validated, support multi-region.
upvoted 4 times
...
zellck
1 year, 7 months ago
Selected Answer: B
B is the answer.
upvoted 4 times
...
Sav94
1 year, 7 months ago
Both A and B. But question ask for redundancy. So I think it's A.
upvoted 1 times
...
Random_Mane
1 year, 7 months ago
Selected Answer: B
B. https://cloud.google.com/docs/security/key-management-deep-dive https://cloud.google.com/kms/docs/faq "Keys generated with protection level HSM, and the cryptographic operations performed with them, comply with FIPS 140-2 Level 3."
upvoted 3 times
...
Baburao
1 year, 7 months ago
This should be definitely A. Only Cloud KMS supports FIPS 140-2 levels1, 2 and 3. https://cloud.google.com/kms/docs/faq#standards
upvoted 1 times
Arturo_Cloud
1 year, 7 months ago
I disagree with you, you are being asked only for FIPS 140-2 Level 3 and multiple availability, so B) is the best answer. Here is the much more detailed evidence. https://cloud.google.com/docs/security/cloud-hsm-architecture
upvoted 4 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago