Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Explanation:

The question requires two solutions: (1) managing encryption keys outside Google Cloud with a third-party provider, and (2) encrypting data in memory during use in Compute Engine VMs. Option B (Cloud External Key Manager) satisfies the first requirement by allowing keys to be stored and managed externally through a third-party key management provider, enabling encryption before upload to Cloud Storage and decryption during processing. Option C (Create Confidential VMs) satisfies the second requirement, as Confidential VMs use AMD SEV or Intel TDX technology to encrypt data in memory while in use. Option D is incorrect because existing VMs cannot be migrated to Confidential VMs; they must be created as Confidential VMs from the start, as confirmed by Google's documentation and multiple community comments with high upvotes. Option A (Customer Managed Encryption Keys) does not fully meet the requirement for external key management, as CMKEKs are still stored within Google Cloud. Option E (VPC Service Controls) focuses on network perimeter security and does not address encryption key management or memory encryption.

Explanation:

Comments (0)

No comments yet.

Your organization runs a mission-critical workload in a highly regulated industry. Sensitive data is uploaded from endpoint computers to Cloud Storage and then processed by Compute Engine VMs. A compliance review has found that the current setup does not meet data protection requirements. You must implement a solution that fulfills the following:

Manage the Data Encryption Key (DEK) outside of Google Cloud.

Retain full control of encryption keys using a third-party provider.

Encrypt the sensitive data before it is uploaded to Cloud Storage.

Decrypt the data during processing within the Compute Engine VMs.

Encrypt the data in memory while it is in use on the Compute Engine VMs.

What two actions should you take?

Exam-Like

Last updated: December 23, 2025 at 14:04

Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

50.0%

Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

0.0%