Google Exam Professional Data Engineer Topic 5 Question 92 Discussion

Actual exam question for Google's Professional Data Engineer exam

Question #: 92
Topic #: 5

[All Professional Data Engineer Questions]

You want to encrypt the customer data stored in BigQuery. You need to implement for-user crypto-deletion on data stored in your tables. You want to adopt native features in Google Cloud to avoid custom solutions. What should you do?

ACreate a customer-managed encryption key (CMEK) in Cloud KMS. Associate the key to the table while creating the table.

BCreate a customer-managed encryption key (CMEK) in Cloud KMS. Use the key to encrypt data before storing in BigQuery.

CImplement Authenticated Encryption with Associated Data (AEAD) BigQuery functions while storing your data in BigQuery.

DEncrypt your data during ingestion by using a cryptographic library supported by your ETL pipeline.

Show Suggested Answer

Suggested Answer: A

To implement for-user crypto-deletion and ensure that customer data stored in BigQuery is encrypted, using native Google Cloud features, the best approach is to use Customer-Managed Encryption Keys (CMEK) with Cloud Key Management Service (KMS). Here's why:

Customer-Managed Encryption Keys (CMEK):

CMEK allows you to manage your own encryption keys using Cloud KMS. These keys provide additional control over data access and encryption management.

Associating a CMEK with a BigQuery table ensures that data is encrypted with a key you manage.

For-User Crypto-Deletion:

For-user crypto-deletion can be achieved by disabling or destroying the CMEK. Once the key is disabled or destroyed, the data encrypted with that key cannot be decrypted, effectively rendering it unreadable.

Native Integration:

Using CMEK with BigQuery is a native feature, avoiding the need for custom encryption solutions. This simplifies the management and implementation of encryption and decryption processes.

Steps to Implement:

Create a CMEK in Cloud KMS:

Set up a new customer-managed encryption key in Cloud KMS.

Associate the CMEK with BigQuery Tables:

When creating a new table in BigQuery, specify the CMEK to be used for encryption.

This can be done through the BigQuery console, CLI, or API.

BigQuery and CMEK

Cloud KMS Documentation

Encrypting Data in BigQuery

by Hoa at Sep 09, 2024, 07:58 PM

Limited Time Offer

25%

Off

Get Premium Professional Data Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Irma

1 months ago

I think option D is the most practical choice for our scenario.

upvoted 0 times

...

Naomi

1 months ago

I prefer option C, it provides better data protection.

upvoted 0 times

...

Nathalie

1 months ago

I disagree, option B seems more secure to me.

upvoted 0 times

...

2 months ago

Option B all the way! Who doesn't love a good old-fashioned customer-managed encryption key?

upvoted 0 times

Ashlyn

29 days ago

C) Implement Authenticated Encryption with Associated Data (AEAD) BigQuery functions while storing your data in BigQuery.

upvoted 0 times

...

Yesenia

1 months ago

A) That sounds like a secure option. Good choice!

upvoted 0 times

...

Janna

1 months ago

B) Create a customer-managed encryption key (CMEK) in Cloud KMS. Use the key to encrypt data before storing in BigQuery.

upvoted 0 times

...

Ngoc

1 months ago

A) Create a customer-managed encryption key (CMEK) in Cloud KMS. Associate the key to the table while creating the table.

upvoted 0 times

...

2 months ago

Option B seems like the way to go. Keeping the encryption key separate from the data is a good security practice.

upvoted 0 times

Louvenia

2 months ago

I agree. Using a customer-managed encryption key in Cloud KMS for encrypting data before storing in BigQuery is a secure approach.

upvoted 0 times

...

Abel

2 months ago

I think option B is the best choice. It's important to keep the encryption key separate from the data.

upvoted 0 times

...