Question 1
Domain 6An ML Engineer needs to ensure that the sensitive training data stored in Cloud Storage is protected by encryption. The company requires full control over the key rotation schedule and needs to maintain an audit trail for key usage outside of Google Cloud’s automatic management. What is the most secure and appropriate encryption solution for this data at rest, meeting the requirements for external control and auditability?
Correct answer: B
Explanation
Customer-Managed Encryption Keys (CMEK) via Cloud KMS let the company control the key lifecycle, including rotation, instead of relying on Google-managed keys. Cloud KMS also provides audit logs for key usage, which supports the requirement to "maintain an audit trail for key usage" while protecting data at rest in Cloud Storage.
Why each option is right or wrong
A. Google-Managed Encryption Keys (GMEK)
B. Customer-Managed Encryption Keys (CMEK) via Cloud KMS
Cloud Storage supports encryption with Customer-Managed Encryption Keys through Cloud KMS, which is the only option here that gives the company direct control over key rotation and revocation rather than Google-managed defaults. Cloud KMS keys can be rotated on a schedule the customer defines, and key usage is recorded in Cloud Audit Logs, satisfying the requirement for externally controlled lifecycle management and an auditable trail for every cryptographic operation.
C. Customer-Supplied Encryption Keys (CSEK)
D. Client-Side Encryption