CCNA Ensuring data protection Questions

17 of 92 questions · Page 2/2 · Ensuring data protection · Answers revealed

76
Multi-Selecthard

A company uses BigQuery to store sensitive data and wants to implement data masking using policy tags. They have three user groups: data_engineers (full access), data_analysts (masked PII), and data_scientists (masked financial data). Which THREE steps should they take?

Select 3 answers
A.Publish the taxonomy to make the policy tags available for use.
B.Create a taxonomy in Cloud Data Catalog with policy tags for PII and financial data.
C.Apply only one policy tag per column.
D.Enable Cloud Audit Logs to track policy tag usage.
E.Define data masking rules using BigQuery's conditional access on the policy tags.
AnswersA, B, E

Taxonomy must be published before policy tags can be used.

Why this answer

Option A is correct because after creating a taxonomy with policy tags in Cloud Data Catalog, you must publish the taxonomy to make those policy tags available for use in BigQuery. Publishing associates the taxonomy with the project and allows BigQuery to enforce data masking rules based on the policy tags applied to columns.

Exam trap

Google Cloud often tests the misconception that only one policy tag can be applied per column, but BigQuery supports multiple tags per column, and the most restrictive masking rule is enforced.

77
MCQmedium

A development team uses Cloud Secret Manager to store database credentials for an application running on Compute Engine. The application reads the secret using the Secret Manager API. After the team rotates the secret by adding a new version and setting it as the latest, the application continues to use the old secret version and fails to authenticate. The application is configured to fetch the secret with version 'latest' at startup. The team checks that the Compute Engine service account has the roles/secretmanager.secretAccessor role on the secret. What is the most likely cause of the issue?

A.Enable the new secret version by setting its state to 'enabled' via the Cloud Console, gcloud, or API.
B.Grant the service account the roles/secretmanager.secretAccessor at the project level instead of on the secret resource.
C.Update the application to use the specific version ID of the new secret instead of the 'latest' label.
D.Add an IAM condition on the secret that restricts access to only the latest version.
AnswerA

New versions are created disabled; they must be enabled to be accessible.

Why this answer

When a new secret version is added via Cloud Secret Manager, it is created in the 'disabled' state by default. Even if it is set as the 'latest' version, the application cannot access it until the version is explicitly enabled. The application fetches the secret using the 'latest' label, which points to the disabled version, causing authentication failure.

Enabling the new version resolves the issue.

Exam trap

Google Cloud often tests the misconception that setting a new version as 'latest' automatically makes it accessible, ignoring the default disabled state of newly added secret versions.

How to eliminate wrong answers

Option B is wrong because granting the role at the project level would not fix the issue; the service account already has the required role on the secret, but the secret version itself is disabled. Option C is wrong because using a specific version ID would still fail if that version is disabled; the core problem is the version state, not the label. Option D is wrong because adding an IAM condition does not affect the enabled/disabled state of a secret version; it only controls access based on attributes like resource tags or time, not version state.

78
MCQmedium

Refer to the exhibit. A security engineer has created this IAM policy for a Cloud KMS key. The service account my-sa is used by a Compute Engine VM to encrypt data before storing it in Cloud Storage. User alice needs to decrypt the data for analysis. Which statement is true?

A.User alice can both encrypt and decrypt.
B.User alice needs the Cloud KMS CryptoKeyEncrypter role to encrypt.
C.The service account can encrypt but cannot decrypt.
D.The service account can both encrypt and decrypt.
AnswerC

It has only the CryptoKeyEncrypter role.

Why this answer

The IAM policy grants the service account my-sa the Cloud KMS CryptoKey Encrypter role, which allows it to encrypt but not decrypt. User alice is granted the Cloud KMS CryptoKey Decrypter role, which allows her to decrypt but not encrypt. Therefore, the service account can only encrypt, and user alice can only decrypt, making option C correct.

Exam trap

Google Cloud often tests the misconception that a service account used for encryption must also be able to decrypt, or that a user with decrypt permissions can also encrypt, when in fact Cloud KMS enforces strict role separation between encrypt and decrypt operations.

How to eliminate wrong answers

Option A is wrong because user alice is only granted the Cloud KMS CryptoKey Decrypter role, which does not include encrypt permissions; she cannot encrypt. Option B is wrong because user alice already has the Cloud KMS CryptoKey Decrypter role, which is sufficient for decryption, but she does not need the Cloud KMS CryptoKeyEncrypter role to encrypt because she is not performing encryption; the service account handles encryption. Option D is wrong because the service account is only granted the Cloud KMS CryptoKey Encrypter role, which explicitly excludes decrypt permissions; it cannot decrypt.

79
MCQhard

Refer to the exhibit. A security administrator is troubleshooting why a user cannot access a BigQuery dataset. The user analyst@example.com is not a member of data-team@example.com. The user is trying to query a table in the dataset. What is the most likely reason for the denial?

A.The user needs to be added as a dataOwner to query tables.
B.The user has the role roles/bigquery.dataViewer, which does not allow querying tables; it only allows viewing dataset metadata.
C.The dataset policy includes a condition that the user does not satisfy.
D.The table itself might have additional restrictions such as row-level security.
AnswerB

dataViewer is insufficient for querying.

Why this answer

Option B is correct because the role roles/bigquery.dataViewer only grants permission to view dataset metadata (e.g., table names, schema) but does not include the bigquery.tables.getData permission required to actually query table rows. Since the user is not a member of data-team@example.com and has only this role, any query attempt will be denied with an access denied error.

Exam trap

Google Cloud often tests the misconception that a role named 'dataViewer' implies the ability to view actual data, when in fact it only grants metadata visibility, not the ability to query table rows.

How to eliminate wrong answers

Option A is wrong because 'dataOwner' is not a standard BigQuery role; the correct role for querying tables is roles/bigquery.dataEditor or roles/bigquery.dataViewer with the bigquery.tables.getData permission, and adding a user as a dataOwner would not grant query access. Option C is wrong because the question states the user is trying to query a table in the dataset, and there is no mention of a condition in the dataset policy; the most likely reason is the insufficient role, not a condition failure. Option D is wrong because row-level security is an additional restriction that applies after the user already has table-level query access; the primary denial here is due to lack of the bigquery.tables.getData permission, not row-level security.

80
Multi-Selecteasy

A healthcare organization needs to redact Social Security Numbers (SSNs) from patient records stored in Cloud Storage before sharing them with a research partner. They plan to use Cloud DLP. Which TWO actions should they take to configure the DLP job correctly? (Choose two.)

Select 2 answers
A.Apply a de-identification template that uses the 'redact' transformation on the identified SSNs.
B.Use the built-in infoType detector US_SOCIAL_SECURITY_NUMBER to identify SSNs.
C.Configure Access Transparency logs to track who accesses the objects.
D.Encrypt the objects with a CMEK key before running the DLP inspection.
E.Enable VPC Service Controls to prevent unauthorized access to the bucket.
AnswersA, B

Redact removes the detected sensitive data from the output.

Why this answer

Option A is correct because Cloud DLP de-identification templates allow you to specify a 'redact' transformation that completely removes or replaces the matched sensitive data, such as SSNs, from the content. This ensures that the output files shared with the research partner contain no trace of the original SSNs, meeting the redaction requirement.

Exam trap

Google Cloud often tests the distinction between data-level de-identification (DLP transformations) and infrastructure-level security controls (encryption, VPC Service Controls, logging), leading candidates to select options that protect the data at rest or in transit but do not actually redact the sensitive content.

81
MCQeasy

A multinational organization must store customer data only in specific geographic regions to comply with data residency regulations. They use Cloud Spanner for their primary database. What should they do to enforce that data is stored only in approved regions?

A.Apply an organization policy with a constraint that restricts the location of Cloud Spanner resources to approved regions.
B.Create a Cloud Spanner instance in the desired region and configure a backup in a different region for disaster recovery.
C.Configure a VPC Service Controls perimeter to restrict access to Cloud Spanner.
D.Use Cloud Spanner with data residency constraints by selecting a multi-region configuration that includes only approved regions.
AnswerA

Organization policies can enforce location restrictions on resources.

Why this answer

Organization policies with resource location constraints allow you to enforce that Cloud Spanner instances are created only in approved geographic regions. This policy is evaluated at resource creation time and prevents the deployment of Spanner instances outside the specified regions, directly addressing data residency compliance requirements.

Exam trap

Google Cloud often tests the distinction between data residency enforcement (location constraints) and access control (VPC Service Controls) or data protection (backups), leading candidates to confuse network perimeters with geographic storage restrictions.

How to eliminate wrong answers

Option B is wrong because creating an instance in one region and a backup in another does not enforce data residency; the primary data could still be stored in a non-approved region. Option C is wrong because VPC Service Controls restrict network access to Cloud Spanner, not the geographic location where the data is stored. Option D is wrong because selecting a multi-region configuration that includes only approved regions does not prevent the instance from being placed in a non-approved region if the configuration is not restricted; the organization policy is needed to enforce the constraint.

82
MCQeasy

A company wants to ensure that all data stored in Cloud Storage buckets is encrypted with a customer-managed key (CMEK) that is managed in Cloud KMS. The security team requires that only authorized applications can access the key. Which configuration step should be taken to achieve this?

A.Use a customer-supplied encryption key (CSEK) instead of CMEK.
B.Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account at the Cloud KMS key resource.
C.Create a bucket with default encryption set to use a CMEK, and grant the service account the Cloud KMS Admin role.
D.Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account at the project level.
AnswerB

This grants the minimum required permission at the specific key.

Why this answer

Option B is correct because Cloud Storage uses its own Google-managed service account to interact with Cloud KMS when encrypting or decrypting data with a CMEK. By granting the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account at the specific key resource, you authorize only that service account to use the key, ensuring that only authorized applications (via Cloud Storage) can access the key. This follows the principle of least privilege and meets the security team's requirement.

Exam trap

Google Cloud often tests the distinction between granting roles at the project level versus the resource level, and the trap here is that candidates mistakenly think granting the role at the project level is sufficient, but that would allow any bucket in the project to use the key, violating the 'only authorized applications' requirement.

How to eliminate wrong answers

Option A is wrong because CSEK (customer-supplied encryption key) is not managed in Cloud KMS; instead, the customer provides the key directly in each request, and Google does not store the key, which contradicts the requirement for a customer-managed key in Cloud KMS. Option C is wrong because granting the Cloud KMS Admin role to the Cloud Storage service account provides full administrative control over the key (including deletion and rotation), which is excessive and violates the principle of least privilege; the service account only needs the Encrypter/Decrypter role. Option D is wrong because granting the role at the project level would allow any Cloud Storage bucket in the project to use the key, potentially enabling unauthorized applications or buckets to access the key, which does not satisfy the requirement that only authorized applications can access the key.

83
Multi-Selecteasy

A company wants to encrypt data at rest in Cloud SQL. Which TWO methods are supported? (Choose TWO.)

Select 2 answers
A.Default encryption at rest with Google-managed keys
B.Cloud HSM hardware security module for encryption
C.Cloud Key Management Service (Cloud KMS) as a standalone encryption method
D.Client-side encryption before storing data in Cloud SQL
E.Customer-managed encryption keys (CMEK) using Cloud KMS
AnswersA, E

By default, Cloud SQL encrypts data at rest using Google-managed encryption keys.

Why this answer

Option A is correct because Cloud SQL provides default encryption at rest using AES-256 with Google-managed keys, which are automatically generated and rotated by Google. This encryption is transparent to the user and requires no additional configuration, ensuring data is encrypted before being written to disk.

Exam trap

Google Cloud often tests the distinction between default encryption (Google-managed keys) and customer-managed encryption keys (CMEK) as the two supported methods, trapping candidates who think Cloud HSM or client-side encryption are built-in Cloud SQL features.

84
MCQeasy

A company wants to ensure that all data stored in Cloud Storage buckets is encrypted at rest using a customer-managed key that is automatically rotated every 90 days. What should they do?

A.Create a Cloud KMS key ring and a key with rotation period set to 7776000s (90 days).
B.Use customer-supplied encryption keys (CSEK) and update them manually every 90 days.
C.Use default Google-managed encryption keys.
D.Use Cloud HSM to generate a key and implement a custom rotation script.
AnswerA

Cloud KMS supports automatic rotation of customer-managed keys.

Why this answer

Option A is correct because Cloud KMS allows you to create a customer-managed encryption key (CMEK) with an automatic rotation period of 7776000 seconds (90 days). When you set the rotation period on a key, Cloud KMS automatically rotates the key material at the specified interval, ensuring that all data encrypted with that key is protected by a new key version without manual intervention. This satisfies the requirement for customer-managed keys with automatic rotation.

Exam trap

Google Cloud often tests the distinction between automatic rotation (Cloud KMS CMEK with rotation period) and manual rotation (CSEK or custom scripts), leading candidates to choose manual or HSM-based options that lack built-in automatic rotation.

How to eliminate wrong answers

Option B is wrong because customer-supplied encryption keys (CSEK) require you to provide the key with each API call and you must manage rotation manually; there is no automatic rotation mechanism in Cloud Storage for CSEK. Option C is wrong because default Google-managed encryption keys are not customer-managed and cannot be rotated on a custom schedule; they are managed entirely by Google. Option D is wrong because Cloud HSM generates keys but does not provide built-in automatic rotation; implementing a custom rotation script introduces operational complexity and risk, and is not the recommended or simplest approach for automatic key rotation.

85
Multi-Selectmedium

You are a security engineer for a healthcare organization. You need to protect sensitive patient data stored in Cloud Storage. You want to ensure that data is encrypted at rest using a customer-managed key (CMEK) and that access to the key is logged. You also need to prevent data exfiltration by limiting which service accounts can decrypt data. Which TWO steps should you take? (Choose two.)

Select 2 answers
A.Configure a VPC Service Controls perimeter that includes the Cloud Storage bucket and the KMS key.
B.Use Cloud HSM to create and manage the encryption key, and disable Cloud Audit Logs for the HSM key.
C.Enable default encryption (Google-managed key) on the bucket and use Cloud Audit Logs to monitor access.
D.Use customer-supplied encryption keys (CSEK) and store the key in Cloud Key Management Service (KMS).
E.Create a Cloud KMS key ring and key, and configure the bucket to use CMEK with that key. Enable Cloud Audit Logs for the KMS key.
AnswersA, E

VPC Service Controls restrict data exfiltration by preventing access from outside the perimeter.

Why this answer

Option A is correct because VPC Service Controls creates a security perimeter around the Cloud Storage bucket and the KMS key, preventing data exfiltration by blocking unauthorized service accounts from decrypting data outside the perimeter. Option E is correct because creating a Cloud KMS key ring and key, configuring the bucket to use CMEK, and enabling Cloud Audit Logs for the KMS key ensures encryption at rest with a customer-managed key and logs all access to the key, meeting both requirements.

Exam trap

Google Cloud often tests the distinction between CMEK and CSEK, where candidates mistakenly think CSEK can be stored in Cloud KMS for management, but CSEK is provided per request and not stored, while CMEK is fully managed in Cloud KMS with audit logging capabilities.

86
MCQmedium

A company operates a hybrid cloud environment with on-premises data centers and Google Cloud Platform. They store sensitive customer data in Cloud Storage buckets and use Data Loss Prevention (DLP) to scan for and inspect sensitive content. They have automated DLP inspection jobs that run periodically, but they want to automatically redact sensitive data (e.g., Social Security numbers) in any new object as soon as it is written to a specific bucket. The redacted version should replace the original object in the same bucket. Which of the following is the most effective and recommended approach?

A.Set up a Cloud Function triggered by Cloud Storage 'finalize' events. The function calls the DLP API to inspect the object, creates a redacted version, and deletes the original object, replacing it with the redacted data.
B.Enable a bucket retention policy and use DLP to scan objects and quarantine those with sensitive data by moving them to a different bucket.
C.Use Cloud Storage Object Change Notifications to alert a Compute Engine instance that runs a DLP job to modify the object in place.
D.Use VPC Service Controls to create a secure perimeter around the bucket and then run DLP scans on a schedule.
AnswerA

This is the standard serverless pattern for automatic redaction. Cloud Functions respond to new objects, DLP inspects and redacts, and the function rewrites the object with the redacted content.

Why this answer

Option A is correct: Triggering a Cloud Function on object finalize events, running DLP inspection, and rewriting the object with redacted data is the recommended pattern. Option B is incorrect because DLP cannot modify objects in place; it produces a new artifact. Option C is about retention, not redaction.

Option D is about perimeter security and does not address redaction.

87
MCQhard

An organization uses BigQuery with column-level security. They have a column containing social security numbers (SSNs) that should only be visible to users with the 'PII_Viewer' role. How should they configure this?

A.Encrypt the column with CMEK and give decrypt permission only to PII_Viewer.
B.Use authorized views to filter the column.
C.Use BigQuery row-level access policies.
D.Create a policy tag on the column and bind it to the role.
AnswerD

Policy tags implement column-level security in BigQuery.

Why this answer

Option D is correct because BigQuery column-level security uses policy tags to restrict access to sensitive columns. By creating a policy tag on the SSN column and binding it to the 'PII_Viewer' role, only users with that role can see the data; others see NULL or are denied access. This is the native, recommended approach for column-level access control in BigQuery.

Exam trap

Google Cloud often tests the distinction between encryption (which protects data at rest but does not control access by role) and policy-based access controls (which enforce visibility at query time), leading candidates to mistakenly choose encryption options for column-level restrictions.

How to eliminate wrong answers

Option A is wrong because CMEK (Customer-Managed Encryption Keys) encrypts data at rest but does not provide column-level access control; decrypt permission applies to the entire table or dataset, not to specific columns or roles. Option B is wrong because authorized views can filter rows or columns, but they require creating a separate view and granting access to it, which is more complex and less granular than native column-level security; also, authorized views do not enforce role-based access on the base table. Option C is wrong because row-level access policies control which rows a user can see, not which columns; they cannot hide a specific column like SSN from unauthorized users.

88
MCQhard

Refer to the exhibit. You are analyzing the IAM policy for a project. You need to ensure that only authenticated users can access objects in bucket1 under the prefix "reports/". Which of the following statements is correct?

A.The condition on objectViewer also prevents alice from listing objects under reports/.
B.The service account sa-1 can view objects under reports/ in bucket1.
C.Bob can view, create, and delete any object in bucket1.
D.Alice can only view objects under reports/ in bucket1.
AnswerC

Bob has the objectAdmin role at the project level without conditions, granting him full control over all objects in bucket1.

Why this answer

Option C is correct because the IAM policy grants Bob the roles/storage.objectAdmin role on the entire bucket1, which includes permissions to view, create, and delete any object in the bucket. The condition restricting access to the "reports/" prefix applies only to the objectViewer role, not to Bob's role. Therefore, Bob has full administrative access to all objects in bucket1 without any prefix restriction.

Exam trap

Google Cloud often tests the misconception that a condition applied to one role binding automatically restricts all other role bindings for the same principal, leading candidates to incorrectly assume that Bob's objectAdmin role is limited by the condition on Alice's objectViewer role.

How to eliminate wrong answers

Option A is wrong because the condition on objectViewer restricts access to objects under the "reports/" prefix, but it does not prevent listing objects; listing is controlled by the storage.objects.list permission, which is granted by the objectViewer role, and the condition only limits the object-level actions (like get) to the prefix, not the list action itself. Option B is wrong because the service account sa-1 is not mentioned in the IAM policy exhibit; without explicit binding, sa-1 has no access to bucket1 objects. Option D is wrong because Alice is assigned the objectViewer role with a condition that limits access to objects under "reports/", but the condition also applies to listing; however, the statement says she can "only view objects under reports/" — this is partially true but misleading because the condition also restricts listing to that prefix, and the option does not mention that she cannot list objects outside the prefix, making it incorrect as a complete statement.

89
Drag & Dropmedium

Drag and drop the steps to rotate a customer-managed encryption key (CMEK) in Cloud KMS in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Key rotation involves creating a new version, enabling rotation, updating resource associations, verifying, and retiring old keys.

90
MCQmedium

Refer to the exhibit. A security engineer needs to ensure that all objects uploaded to the bucket are automatically encrypted with the specified KMS key. They also need to preserve older versions of objects. Which statement accurately describes the bucket configuration?

A.The bucket has default KMS encryption and versioning is enabled.
B.The bucket has default KMS encryption but versioning is disabled.
C.The bucket uses CSEK and versioning is enabled.
D.The bucket uses Google-managed encryption and versioning is disabled.
AnswerA

Output shows default KMS key and versioning enabled.

Why this answer

Option A is correct because the question requires both automatic encryption of all uploaded objects using a specified KMS key and preservation of older object versions. Default KMS encryption ensures that any object uploaded without explicit encryption headers is automatically encrypted with the configured KMS key, while enabling versioning allows the bucket to retain noncurrent object versions. Together, these settings meet both requirements.

Exam trap

Google Cloud often tests the distinction between default encryption (which applies automatically to all new objects) and per-request encryption (like CSEK or customer-managed encryption keys), and the trap here is confusing CSEK with default KMS encryption or assuming that versioning is automatically enabled when encryption is configured.

How to eliminate wrong answers

Option B is wrong because while default KMS encryption is present, versioning is disabled, which means older versions of objects are not preserved — they are overwritten and lost. Option C is wrong because CSEK (Customer-Supplied Encryption Keys) is not a default encryption mechanism; it requires the client to supply the key with each upload, and the question specifies automatic encryption with a KMS key, not CSEK. Option D is wrong because Google-managed encryption does not allow specifying a particular KMS key, and versioning is disabled, failing both requirements.

91
MCQeasy

A company uses Cloud Data Loss Prevention (DLP) to inspect sensitive data in Cloud Storage. They want to automatically redact credit card numbers found in text files before the files are accessed by downstream applications. Which DLP method should be used?

A.Use the DLP API's `content.deidentify` method with a `PrimitiveTransformation` of `replaceWithInfoType`.
B.Create a DLP job that uses the InspectJobConfig with a redact transformation.
C.Use Cloud DLP's inspect-only functionality and manually redact.
D.Set up a DLP inspection scan on the bucket with a `CryptoReplaceFfxFpe` transformation.
AnswerA

This method can redact sensitive data by replacing it with the info type name.

Why this answer

Option A is correct because the DLP API's `content.deidentify` method with a `PrimitiveTransformation` of `replaceWithInfoType` is designed to automatically replace sensitive data (like credit card numbers) with their corresponding info type labels (e.g., `[CREDIT_CARD_NUMBER]`) in text files. This method operates on content in memory or from Cloud Storage, enabling automated redaction before downstream access, without requiring a separate job or manual intervention.

Exam trap

Google Cloud often tests the distinction between inspection-only methods (which detect but do not modify) and deidentification methods (which transform data), and candidates may confuse DLP jobs (for scanning) with the `content.deidentify` API (for inline transformation), leading them to pick Option B or C.

How to eliminate wrong answers

Option B is wrong because DLP jobs (InspectJobConfig) are used for scanning and inspecting data at rest, but they do not support a direct 'redact transformation' in the job configuration; redaction is performed via the `deidentify` method, not through inspection jobs. Option C is wrong because inspect-only functionality only identifies sensitive data without modifying it, so manual redaction would be required, which contradicts the requirement for automatic redaction. Option D is wrong because `CryptoReplaceFfxFpe` is a format-preserving encryption (FPE) transformation that replaces data with encrypted values while preserving format, not a redaction method; it is used for tokenization, not for removing or replacing sensitive content with info types.

92
MCQhard

Refer to the exhibit. The security team created this key for encrypting database backups. After an audit, they found that data encrypted before May 1, 2023, cannot be decrypted. What is the most likely cause?

A.The rotation period is too short, causing old versions to be destroyed.
B.Key version 1 was deleted after the new primary was created.
C.The primary key version is disabled.
D.The algorithm GOOGLE_SYMMETRIC_ENCRYPTION is not supported by HSM.
AnswerB

If version 1 was deleted, data encrypted with it cannot be decrypted.

Why this answer

Option B is correct because when a new primary key version is created in Cloud KMS, the old primary key version is not automatically deleted. However, if the old key version (version 1) was manually deleted after promoting version 2 as the primary, any data encrypted with version 1 becomes permanently undecryptable. The audit finding that data encrypted before May 1, 2023 cannot be decrypted directly indicates that the key version used for that encryption (likely version 1) is no longer available, not just disabled or rotated.

Exam trap

Google Cloud often tests the distinction between key rotation (which creates new versions) and key version deletion (which removes the ability to decrypt old data), leading candidates to incorrectly assume that rotation alone causes decryption failures.

How to eliminate wrong answers

Option A is wrong because a short rotation period does not cause old key versions to be destroyed; rotation creates new versions while retaining old ones for decryption of previously encrypted data. Option C is wrong because disabling the primary key version would prevent any new encryption or decryption operations, not selectively break decryption of old data while allowing newer data to be decrypted. Option D is wrong because GOOGLE_SYMMETRIC_ENCRYPTION is a valid algorithm supported by both software and HSM-backed keys in Google Cloud KMS, and the issue is about key version availability, not algorithm support.

← PreviousPage 2 of 2 · 92 questions total

Ready to test yourself?

Try a timed practice session using only Ensuring data protection questions.