You manage a mission-critical workload for your organization, which is in a highly regulated industry. The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpoint computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive data. You need to meet these requirements:
• Manage the data encryption key (DEK) outside the Google Cloud boundary.
• Maintain full control of encryption keys through a third-party provider.
• Encrypt the sensitive data before uploading it to Cloud Storage.
• Decrypt the sensitive data during processing in the Compute Engine VMs.
• Encrypt the sensitive data in memory while in use in the Compute Engine VMs.
What should you do? (Choose two.)
A. Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
B. Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
C. Create Confidential VMs to access the sensitive data.
D. Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.
E. Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets.
Answer
B, C