Google Cloud Professional Cloud Security Engineer Practice Exam

Which practices help reduce the impact of a compromised symmetric encryption key in Cloud KMS?

• A. Enable manual key version rotation
• B. Enable automatic key version rotation
• C. Increase the number of messages per key version
• D. Store keys in multiple locations

The correct answer is: Enable automatic key version rotation

Enabling automatic key version rotation is a crucial practice in managing encryption keys, particularly in reducing the impact of a compromised symmetric encryption key in Cloud Key Management Service (KMS). When automatic rotation is enabled, keys are rotated at a set interval without requiring manual intervention. This means that even if a key is compromised, its validity is limited to a certain period, reducing the potential window for an attacker to misuse a stolen key. Additionally, automatic key rotation fosters a more secure environment by ensuring that keys are updated regularly, which is considered a best practice in cryptographic key management. The timely rotation of keys enhances security posture, as it minimizes the chances of any long-term exposure associated with a single encryption key. Other practices, such as manual key version rotation or increasing the number of messages per key version, do not offer the same level of automatic enforcement and protection against prolonged exposure. Manual rotation requires additional administrative effort and does not guarantee that keys will be rotated promptly, while a higher number of messages per key version could increase the risk if that key is compromised, as more data is at risk. Storing keys in multiple locations could introduce additional complexity and potential security concerns, rather than directly addressing the issue of key compromise.