Answer-first summary for fast verification
Answer: Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.
The question requires achieving FIPS 140-2 compliance for both data at rest (Local SSDs) and data in transit (VM-to-VM communication). Option A is correct because it uses BoringCrypto, which is explicitly FIPS 140-2 validated, for encrypting both cache storage (Local SSDs) and VM-to-VM communications. This directly addresses the compliance requirement, as Local SSDs do not inherently have FIPS-validated encryption, and BoringCrypto is the validated module within BoringSSL. Option B is incorrect because BoringSSL as a whole is not FIPS validated, and customer-managed keys for disk encryption do not ensure FIPS compliance for Local SSDs without a validated cryptographic module. Option C is insufficient as changing UDP to TCP does not inherently provide FIPS-validated encryption, and BoringSSL alone is not validated. Option D is incorrect because Google-managed keys lack the control needed for FIPS compliance, and BoringSSL is not validated. The community discussion, including highly upvoted comments, supports A due to BoringCrypto's FIPS validation and the need for custom encryption on Local SSDs.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
To achieve FIPS 140-2 compliance for a messaging app on GCP that uses a Managed Instance Group, Local SSDs for caching, and UDP for instance-to-instance communication, what specific changes should be recommended?
A
Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.
B
Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.
C
Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.
D
Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.
No comments yet.