Google Cloud Professional Cloud Security Engineer Practice Exam

Which encryption service is recommended for managing encrypted keys that requires FIPS 140-2 Level 3 validation?

• A. Google-managed encryption keys
• B. Customer-managed encryption keys with Cloud HSM
• C. Cloud Key Management Service
• D. Client-side encryption tools

The correct answer is: Customer-managed encryption keys with Cloud HSM

The recommended encryption service for managing encrypted keys that requires FIPS 140-2 Level 3 validation is customer-managed encryption keys with Cloud HSM. This service uses hardware security modules (HSMs) to manage encryption keys, ensuring that keys are stored and used in a highly secure environment. FIPS 140-2 is a federal standard that defines security requirements for cryptographic modules. Meeting Level 3 validation means that the hardware must provide a higher level of security by ensuring that sensitive data is protected against unauthorized access and tampering, including through physical security measures. Using customer-managed encryption keys with Cloud HSM directly addresses compliance requirements and provides strong protection for sensitive data by leveraging the security capabilities of HSMs specifically designed to meet FIPS standards. This solution is appropriate for customers who need to maintain tighter control over their encryption keys while also meeting regulatory compliance requirements. In contrast, other options may not provide the necessary level of security or compliance required by FIPS 140-2 Level 3. For example, Google-managed encryption keys are managed by Google and do not provide the same level of control as customer-managed options. Cloud Key Management Service, while strong, may not specifically guarantee FIPS Level 3. Client-side encryption tools