A company stores sensitive customer data in Cloud Storage and uses CMEK with Cloud KMS. They want to ensure that data in transit to the storage bucket is always encrypted using TLS 1.2 or higher. Which configuration should they implement?
This enforces TLS 1.2+ for all requests to the bucket.
Why this answer
Option B is correct because setting the bucket's 'requireTls' transport security setting to 'true' in the bucket's IAM policy enforces that all requests to the bucket must use TLS 1.2 or higher. This is a bucket-level policy condition that directly controls the encryption of data in transit, ensuring that any HTTP request without TLS 1.2+ is denied.
How to eliminate wrong answers
Option A is wrong because Cloud Armor is a web application firewall and DDoS protection service that operates at the HTTP(S) load balancer level, not at the Cloud Storage bucket level, and it cannot enforce transport encryption directly on storage bucket requests. Option C is wrong because CMEK with Cloud HSM encrypts data at rest using customer-managed keys, not data in transit; it does not enforce TLS version requirements. Option D is wrong because there is no 'sslEnabled' condition in Cloud Storage IAM policies; the correct condition is 'requireTls' in the bucket's transport security settings, not a deny policy with a non-existent attribute.