Google Cloud Professional Data Engineer Exam 2025 - Free Practice Questions and Study Guide

Google Cloud ensures data encryption at rest primarily by using encryption keys that are managed by Cloud Key Management Service (KMS). This approach allows for a robust security model where sensitive data is protected via encryption, rendering it inaccessible to unauthorized users or systems.

Cloud KMS simplifies the management of encryption keys by providing centralized key management, which includes the creation, rotation, and deletion of keys as well as permissions control. When data is stored in Google Cloud, it is automatically encrypted with strong encryption algorithms, and the encryption keys used for this process are securely managed through KMS. This ensures that even if the physical storage medium is compromised, the data remains protected and unreadable without the appropriate decryption keys.

The other options do not adequately cover the methods or controls specifically employed by Google Cloud for encryption at rest. For instance, user-specific passwords pertain more to authentication rather than encryption of stored data. Physical security alone, while important, does not provide the encryption necessary to protect data once it is at rest. Lastly, network security controls focus on data in transit and securing communication channels, which does not directly address the need for encryption of data that is stored on disks. Overall, using Cloud KMS for encryption key management is critical in safeguarding data at rest within