Learn the best practice to ensure encryption keys used for at-rest data encryption in Google Cloud are rotated every 90 days to meet security controls. Discover how to implement an effective detection strategy using Cloud Asset Inventory.
Table of Contents
Question
You must ensure that the keys used for at-rest encryption of your data are compliant with your organization’s security controls. One security control mandates that keys get rotated every 90 days. You must implement an effective detection strategy to validate if keys are rotated as required. What should you do?
A. Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.
B. Assess the keys in the Cloud Key Management Service by implementing code in Cloud Run. If a key is not rotated after 90 days, raise a finding in Security Command Center.
C. Define a metric that checks for timely key updates by using Cloud Logging. If a key is not rotated after 90 days, send an alert message through your incident notification channel.
D. Identify keys that have not been rotated by using Security Health Analytics. If a key is not rotated after 90 days, a finding in Security Command Center is raised.
Answer
A. Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.
Explanation
To ensure that the keys used for at-rest encryption of your data in Google Cloud are compliant with your organization’s security control mandating key rotation every 90 days, the most effective detection strategy is:
Analyze the crypto key versions of the keys by using data from Cloud Asset Inventory. If an active key is older than 90 days, send an alert message through your incident notification channel.
Here’s why this approach is the best:
- Cloud Asset Inventory is a powerful tool that provides a comprehensive view of all your Google Cloud assets, including encryption keys. It allows you to analyze the metadata and properties of your keys, such as the creation date and active versions.
- By leveraging the data from Cloud Asset Inventory, you can easily identify the age of each active key version. This enables you to determine if a key has been in use for more than 90 days without rotation.
- When an active key older than 90 days is detected, sending an alert message through your incident notification channel ensures that the relevant team or individuals are promptly informed. This allows for timely action to be taken to rotate the key and maintain compliance with the security control.
- This approach is straightforward to implement and does not require additional code or complex setup, making it an efficient solution for monitoring key rotation.
The other options have limitations:
- Assessing keys in Cloud Key Management Service using Cloud Run code (B) is more complex and may not cover all keys used for at-rest encryption.
- Using Cloud Logging metrics (C) to check for key updates can be less reliable and may require more setup and maintenance.
- Security Health Analytics (D) may not provide the same level of detail and control as directly analyzing the key versions using Cloud Asset Inventory.
By implementing this detection strategy, you can effectively ensure that your encryption keys are rotated every 90 days, maintaining the security and compliance of your at-rest data in Google Cloud.
Google Professional Cloud Security Engineer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Security Engineer exam and earn Google Professional Cloud Security Engineer certification.