🔥 3-day streak
Professional Cloud Architect54 / 169
Question 54 of 169

A financial services company stores highly sensitive customer records in Cloud Storage buckets encrypted with Cloud KMS customer-managed encryption keys (CMEK). Regulators require that any decryption of this data by cloud provider personnel or automated processes be explicitly justified and, in certain cases, blocked unless the organization approves the reason. The security team wants a mechanism where each request to use the key includes a reason code, and the organization can define policies that automatically deny key access for unapproved justification categories. Which capability should the architect implement?

Reviewed for accuracy · Report an issueNext question