Google Cloud Professional Cloud Security Engineer Practice Exam

For a bursty workload with key lifecycle control in Compute Engine, which encryption solution is recommended?

• A. Default Google-managed encryption keys
• B. Customer-managed encryption keys (CMEK) using Cloud Key Management Service
• C. Cloud Security Command Center
• D. Cloud Data Loss Prevention API

The correct answer is: Customer-managed encryption keys (CMEK) using Cloud Key Management Service

The recommended solution for a bursty workload with key lifecycle control in Compute Engine is customer-managed encryption keys (CMEK) using Cloud Key Management Service. This approach provides greater flexibility and control over the encryption keys used to protect your data. By utilizing CMEK, organizations can define their own lifecycle policies for encryption keys, including rotation, revocation, and auditing. This is essential in scenarios where data sensitivity and compliance requirements demand granular control over how and when keys are used. CMEK allows administrators to manage the keys in accordance with organizational security policies, ensuring that the keys can be enhanced or replaced without significant disruption. In contrast, default Google-managed encryption keys do not offer the same level of control, as they are managed entirely by Google and may not meet specific organizational or regulatory requirements for key management practices. Cloud Security Command Center is a security management platform that provides visibility into security risks, but it does not focus specifically on key management or encryption. Similarly, the Cloud Data Loss Prevention (DLP) API is designed for identifying and protecting sensitive data but does not handle encryption key management directly. Therefore, CMEK is the most suitable choice for organizations that require both security and lifecycle management capabilities in their encryption practices for Compute Engine workloads.