← Google Professional Data Engineer - 340 Questions

Free Preview

Question 1 of 5

A company stores sensitive customer data in BigQuery. The security team requires that only specific service accounts can decrypt and read the data. The data must remain encrypted at rest using customer-managed keys. Which approach should a data engineer implement?

Enable CMEK on the BigQuery dataset using Cloud KMS and grant the Cloud KMS CryptoKey Encrypter/Decrypter role only to the required service accounts. Use Google-managed encryption keys (GMEK) and restrict access via BigQuery IAM roles on the dataset. Configure Customer-Supplied Encryption Keys (CSEK) on the BigQuery tables and share the raw key only with authorized service accounts. Enable VPC Service Controls around the BigQuery API and require all access to go through a specific service perimeter.

This is a free preview. Create an account to access all 340 questions.

Free Preview

We use cookies

Cookie Settings

Essential Cookies Always Active

Analytics Cookies

Advertising Cookies