Exam Professional Cloud Security Engineer topic 1 question 161 discussion

B is the answer. https://cloud.google.com/kms/docs/using-other-products#cmek_integrations https://cloud.google.com/kms/docs/using-other-products#cmek_integrations CMEK is supported for all the listed google services.

Obviously A is the better answer. Based on the GCP blog [1], you can utilize Cloud External Key Manager (Cloud EKM) to manage customer key easily and fulfill the compliance requirements as Key Access Justifications is already GA. Also, Cloud EKM supports all the services listed in the questions per the reference [2] [1] https://cloud.google.com/blog/products/compliance/how-google-cloud-helps-customers-stay-current-with-gdpr [2] https://cloud.google.com/kms/docs/ekm#supported_services

The point is the integration with Google native services: Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub CMEK covers more services than CSEK. https://medium.com/google-cloud/data-encryption-techniques-in-google-cloud-gmek-cmek-csek-928d072a1e9d "Customer-managed encryption keys (CMEK): This method allows customers to create and manage their own encryption keys in Google Cloud KMS, which are used to encrypt data at rest in Google Cloud Storage, Google BigQuery, Google Cloud SQL, and other services that support CMEK" "Customer-supplied encryption keys (CSEK): This method allows customers to use their own encryption keys to encrypt data at rest in Google Cloud Storage and Google Compute disks."

Seems CMEK supports all the Google services in the question https://cloud.google.com/kms/docs/compatible-services#cmek_integrations

B. Customer-managed encryption keys

B is the answer. https://cloud.google.com/kms/docs/using-other-products#cmek_integrations https://cloud.google.com/kms/docs/using-other-products#cmek_integrations CMEK is supported for all the listed google services.

B. Customer-managed encryption keys With customer-managed encryption keys (CMEK), you have control over the encryption keys used to protect your data in Google Cloud Platform services such as Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. This ensures that you can manage and control the keys in a way that aligns with GDPR requirements and provides an additional layer of security for your data.

B Why not A?: GCP doesn't offer a service called "Cloud External Key Manager." While there are external key management solutions, they might not integrate seamlessly with all GCP services you're using.

B. Customer-managed encryption keys With customer-managed encryption keys (CMEK), you have control over the encryption keys used to protect your data in Google Cloud Platform services such as Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub. This ensures that you can manage and control the keys in a way that aligns with GDPR requirements and provides an additional layer of security for your data.

All mentioned services are supported by CMEK

A or B, where B does not require additional assets/resources and thus (sounds like it would be) cheaper

I work with banks in Eu, they are using CMEK in general and it is GDPR compliant - B

With my current client in Europe, where GDPR is mandate, we are using EKM.

Seems to be EKM in conjunction with CMEK to support all the required services. However it's EKM specifically that enables customers to store keys in europe and enforce various controls over their keys as required by GDPR. https://cloud.google.com/blog/products/compliance/how-google-cloud-helps-customers-stay-current-with-gdpr https://cloud.google.com/kms/docs/using-other-products#cmek_integrations

Cloud External Key Manager (option A) is an option for customers who require full control over their encryption keys while leveraging Google Cloud's Key Management Service. However, this option is generally not required for GDPR compliance.

EKM is GDPR compliant

Answer is A and please read the docs. Cloud EKM is GDPR compliant and does support all the services listed. Where is the confusion here?