Answer-first summary for fast verification
Answer: Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises. Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.
The question requires maintaining full control over key material and providing valid justification for key access. Option D is correct because it uses Cloud External Key Manager (Cloud EKM) with an externally managed key stored in an on-premises HSM, ensuring the key material never leaves the customer's control. It also activates Key Access Justifications (KAJ), which provides the required rationale for key access. Option B is incorrect because it involves uploading a key to Cloud KMS, which means Google would have access to the key material, violating the full control requirement. Option A uses Customer Managed Encryption Keys (CMEK) but stores them in Cloud KMS, not providing full external control. Option C uses Cloud HSM-backed keys, which are still managed within Google Cloud infrastructure, not meeting the full external control requirement.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You are migrating an application to Google Cloud. The application needs to read data from a Cloud Storage bucket. To comply with local regulations, you must maintain full control over the key material used for encryption and provide a valid justification for any access to this key material.
What should you do?
A
Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an IAM deny policy for unauthorized groups.
B
Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket. Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.
C
Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.
D
Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises. Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.