A cloud security team is implementing encryption for data at rest in a cloud storage service. They require that the encryption keys be managed by the customer and that the cloud provider has access to the keys only when authorized by the customer. Which TWO key management options meet these requirements? (Select TWO.)
Customer creates keys in cloud KMS and controls access.
Why this answer
CMEK (Customer-Managed Encryption Keys) allows the customer to create and manage keys in cloud KMS, and BYOK (Bring Your Own Key) allows importing keys into cloud KMS. In both cases, the provider can access the keys when authorized.