Google Cloud Professional Cloud Architect — Question 155

Your organization has stored sensitive data in a Cloud Storage bucket. For regulatory reasons, your company must be able to rotate the encryption key used to encrypt the data in the bucket. The data will be processed in Dataproc. You want to follow Google-recommended practices for security. What should you do?

Answer options

• A. Create a key with Cloud Key Management Service (KMS). Encrypt the data using the encrypt method of Cloud KMS.
• B. Create a key with Cloud Key Management Service (KMS). Set the encryption key on the bucket to the Cloud KMS key.
• C. Generate a GPG key pair. Encrypt the data using the GPG key. Upload the encrypted data to the bucket.
• D. Generate an AES-256 encryption key. Encrypt the data in the bucket using the customer-supplied encryption keys feature.

Correct answer: B

Explanation

The correct answer is B because setting the encryption key on the bucket to the Cloud KMS key allows for easy management and rotation of the encryption keys, which is essential for compliance with regulations. Option A does not set the key on the bucket itself, which is necessary for key rotation. Options C and D use alternative encryption methods that do not integrate with Google Cloud's key management practices and lack the necessary regulatory compliance for key rotation.