Question 1
Domain 2: Data Protection and Identity SecurityWhich approach to Bring Your Own Key (BYOK) in the cloud provides the customer with the HIGHEST level of control while still leveraging cloud provider encryption services?
Correct answer: B
Explanation
Customer key custody gives the highest control because the customer retains ownership and management of the encryption key, while the cloud provider only uses it to perform encryption operations through an API. This preserves customer control over the key itself while still leveraging the provider’s encryption services.
Why each option is right or wrong
A. Customer provides keys that the cloud provider manages and stores
B. Customer maintains key custody with cloud provider performing encryption operations via API
Under the BYOK model, the customer retains custody and lifecycle control of the key material, while the cloud provider uses that key only through its encryption API to perform cryptographic operations. This is the highest-control arrangement short of fully self-managed on-premises encryption, because the provider never owns the key and the customer can typically control rotation, revocation, and deletion without surrendering custody.
C. Customer performs all encryption/decryption outside the cloud and only stores ciphertext
D. Customer shares keys with the cloud provider through email for emergency access