Answer-first summary for fast verification
Answer: Key Access Justifications, Cloud External Key Manager
The question requires selecting two services that meet three compliance policies: (1) full lifecycle management of cryptographic keys for data at rest, (2) separate key management provider from data management, and (3) visibility into all encryption key requests. Option E (Cloud External Key Manager) is essential as it stores keys outside Google Cloud, fulfilling the separation requirement and providing visibility through external KMS logs. Option C (Key Access Justifications) directly addresses the visibility requirement by requiring justifications for key access requests. While Option A (Customer-managed encryption keys) provides lifecycle management, it does not separate key management from Google's infrastructure as effectively as E, and it lacks the built-in justification mechanism of C. Option B (Customer-Supplied Encryption Keys) is deprecated and not recommended. Option D (Access Transparency and Approval) is unrelated to encryption key visibility. The community discussion shows strong support for CE (75% consensus with higher upvotes on detailed explanations), while AE (25%) is less aligned because CMEK (A) does not fully separate key management or provide the same level of visibility as E and C combined.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You are migrating an on-premises data warehouse to BigQuery, Cloud SQL, and Cloud Storage. You need to configure security services to meet compliance policies that require:
Which two services should you include in the implementation?
A
Customer-managed encryption keys
B
Customer-Supplied Encryption Keys
C
Key Access Justifications
D
Access Transparency and Approval
E
Cloud External Key Manager