Google Cloud Professional Cloud Security Engineer Practice Exam

Disable ads (and more) with a membership for a one time $4.99 payment

Prepare for the Google Cloud Professional Cloud Security Engineer Exam with our interactive quiz. Study with flashcards and multiple-choice questions, complete with hints and explanations. Ace your exam with confidence!

Practice this question and more.

What command can you execute to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources?

organization policy: constraints/gcp.restrictNonCmekServices
organization policy: gcp.enableCmekForStorage
storage.googleapis.com bindings to allow CMEK only
storage policy: enforceCmekOnNewBuckets

The correct answer is: organization policy: constraints/gcp.restrictNonCmekServices

To enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources, utilizing the organization policy constraint 'constraints/gcp.restrictNonCmekServices' is effective because it sets a foundational policy at the organizational level. This constraint helps control the use of Google Cloud services by restricting certain services to those that support CMEK as the only encryption option. By applying this organization policy, you mandate that only services utilizing CMEK can be used, which ensures that any new Cloud Storage resources created will automatically adhere to this requirement. This approach not only provides a centralized mechanism to enforce encryption standards but also simplifies compliance with security policies across an organization. The other options do not specifically enforce CMEK for all new Cloud Storage resources. Some may refer to enabling features or configuring bindings but do not utilize the broader organization policy framework that is required to set such a prevailing rule effectively. Therefore, the choice of an organization policy constraint is the most comprehensive and impactful method to achieve this enforcement.