Answer-first summary for fast verification
Answer: Identify keys that have not been rotated by using Security Health Analytics. If a key is not rotated after 90 days, a finding in Security Command Center is raised.
Option D is the correct answer because Security Health Analytics is a built-in Google Cloud service specifically designed for continuous security monitoring and compliance validation. It includes a predefined detector for 'KMS key not rotated' that automatically identifies keys that haven't been rotated within the specified timeframe (90 days in this case) and raises findings directly in Security Command Center. This approach is more efficient and reliable than custom solutions because it leverages Google's managed service with built-in detection capabilities, requires no custom code development or maintenance, and integrates seamlessly with Google's security ecosystem. While option A (Cloud Asset Inventory) could technically work with custom analysis, it requires building and maintaining custom monitoring logic. Option B (Cloud Run) involves unnecessary complexity with custom code deployment. Option C (Cloud Logging) relies on log analysis which may not provide the same level of reliability and integration as the purpose-built Security Health Analytics service.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You need to ensure that the encryption keys protecting your data at rest are rotated every 90 days to meet a security control. How should you implement a detection strategy to verify that this key rotation is occurring as required?
A
Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.
B
Assess the keys in the Cloud Key Management Service by implementing code in Cloud Run. If a key is not rotated after 90 days, raise a finding in Security Command Center.
C
Define a metric that checks for timely key updates by using Cloud Logging. If a key is not rotated after 90 days, send an alert message through your incident notification channel.
D
Identify keys that have not been rotated by using Security Health Analytics. If a key is not rotated after 90 days, a finding in Security Command Center is raised.
No comments yet.