A company stores sensitive customer data in Cloud Storage. They want to ensure that data is encrypted at rest using customer-managed encryption keys (CMEK) and that access to the key is audited. Which approach should they use?
Trap 1: Use Google-managed encryption keys and enable Cloud Audit Logs for…
Google-managed keys do not allow customer control over key rotation or access.
Trap 2: Use CMEK with key material stored in a Cloud Storage bucket.
Key material for CMEK must be stored in Cloud KMS, not in Cloud Storage.
Trap 3: Use customer-supplied encryption keys (CSEK) and store the keys in…
CSEK requires providing the key with each request, and keys stored in Secret Manager are not automatically used by Cloud Storage.
- A
Use Google-managed encryption keys and enable Cloud Audit Logs for the bucket.
Why wrong: Google-managed keys do not allow customer control over key rotation or access.
- B
Use CMEK with key material stored in a Cloud Storage bucket.
Why wrong: Key material for CMEK must be stored in Cloud KMS, not in Cloud Storage.
- C
Use customer-supplied encryption keys (CSEK) and store the keys in Secret Manager.
Why wrong: CSEK requires providing the key with each request, and keys stored in Secret Manager are not automatically used by Cloud Storage.
- D
Use CMEK with a Cloud KMS key and enable Cloud Audit Logs for the key.
CMEK uses Cloud KMS, and audit logs track access to the key.