A Cloud Storage bucket contains sensitive PII data. You need to ensure that objects in this bucket are encrypted using a key that your security team controls, and that the key can be revoked if needed to render all data inaccessible. Which encryption option should you use?
CMEK with Cloud KMS gives your security team full control: key creation, rotation, and revocation (disable/destroy). Disabling the KMS key renders all data encrypted with it inaccessible — cryptographic shredding.
Why this answer
Option B is correct because Customer-Managed Encryption Keys (CMEK) allow you to control and manage the key used for encrypting Cloud Storage objects via Cloud KMS. This enables key revocation, which immediately renders all data encrypted with that key inaccessible, meeting the security team's requirement for revocable control.
Exam trap
Google Cloud often tests the distinction between CMEK and CSEK, where candidates mistakenly choose CSEK thinking it gives more control, but CMEK is the only option that supports centralized key revocation without changing API call patterns.
How to eliminate wrong answers
Option A is wrong because Google-managed encryption keys (default) are controlled by Google, not your security team, and cannot be revoked by you. Option C is wrong because Cloud Storage's built-in server-side encryption with AES-256 is also Google-managed and does not provide customer-controlled key revocation. Option D is wrong because Customer-Supplied Encryption Keys (CSEK) require embedding the key in each API request, which does not allow centralized key management or revocation; the key is supplied per operation and not stored or managed by Cloud KMS.