Answer-first summary for fast verification
Answer: Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
The question specifies a requirement to 'control the key lifecycle' for sensitive workloads on Compute Engine using Managed Instance Groups (MIGs). Customer-managed encryption keys (CMEK) using Cloud KMS is the optimal solution because it allows customers to manage their own encryption keys, including key rotation, access control, and lifecycle policies, while maintaining the performance needed for bursty workloads. CSEK (A) is less suitable as it requires manual key management and is not natively integrated with MIGs. Encryption by default (C) uses Google-managed keys, so the customer cannot control the key lifecycle. Pre-encrypting files (D) is inefficient for boot disks and does not integrate with Compute Engine's native encryption capabilities. The community discussion unanimously supports B, with upvoted comments emphasizing CMEK's control over key lifecycle and compatibility with Compute Engine disks.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A customer needs to migrate sensitive workloads to a Compute Engine cluster utilizing Managed Instance Groups (MIGs). The workloads are bursty and require rapid completion. They have a specific requirement to manage the key lifecycle.
Which boot disk encryption method should be implemented for the cluster to satisfy these requirements?
A
Customer-supplied encryption keys (CSEK)
B
Customer-managed encryption keys (CMEK) using Cloud Key Management Service (KMS)
C
Encryption by default
D
Pre-encrypting files before transferring to Google Cloud Platform (GCP) for analysis
No comments yet.