Answer-first summary for fast verification
Answer: Customer-managed encryption keys (CMEK).
The question asks for maximum control over encryption for data at rest in BigQuery. Customer-managed encryption keys (CMEK) is the correct answer because it allows the institution to manage their own encryption keys using Cloud Key Management Service (Cloud KMS), providing control over key lifecycle (creation, rotation, destruction) while BigQuery handles the encryption operations. Customer-supplied encryption keys (CSEK) is not supported for BigQuery (only for Cloud Storage and Compute Engine), as confirmed by multiple community comments with high upvotes and Google documentation. Cloud HSM is not the best fit as it's a key management tool that could be used with CMEK but doesn't directly provide the encryption control for BigQuery data at rest. Cloud Storage as a federated data source is irrelevant to encryption control for BigQuery data.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A large financial institution is migrating its Big Data analytics to Google Cloud Platform and requires maximum control over the encryption process for data stored at rest in BigQuery. Which technique should they use?
A
Use Cloud Storage as a federated Data Source.
B
Use a Cloud Hardware Security Module (Cloud HSM).
C
Customer-managed encryption keys (CMEK).
D
Customer-supplied encryption keys (CSEK).