Answer-first summary for fast verification
Answer: Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
The question requires an encryption strategy that: (1) reduces key management complexity for non-sensitive data, (2) protects sensitive data with control over key residency and rotation, and (3) meets FIPS 140-2 Level 1 compliance for all data. Option D is optimal because: Google default encryption (used for non-sensitive data) is FIPS 140-2 Level 1 compliant and reduces management overhead as Google manages the keys. Cloud KMS (used for sensitive data) is also FIPS 140-2 Level 1 compliant and provides the required control over key residency and rotation schedules. Other options are less suitable: A and B use Cloud External Key Manager or KMS for all data, which increases management complexity for non-sensitive data. C uses Cloud External Key Manager for sensitive data, which is unnecessary when KMS already meets the requirements and is simpler to manage.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You need to implement an encryption at-rest strategy that reduces key management overhead for non-sensitive data while protecting sensitive data, offers control over key residency and rotation schedules, and meets FIPS 140-2 Level 1 compliance for all data. What should you do?
A
Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
B
Encrypt non-sensitive data and sensitive data with Cloud Key Management Service
C
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
D
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
No comments yet.