Google Cloud Professional Cloud Security Engineer — Question 207

Your organization is storing regulated data in Cloud Storage. Data in Cloud Storage buckets is encrypted by Google-managed encryption keys. To meet compliance requirements, you need to update the existing data to use customer-managed encryption keys instead. What should you do?

Answer options

• A. Create a new key ring and key in the Cloud Key Management Service. In each Cloud Storage bucket configuration, change the encryption type to customer-managed encryption key.
• B. Identify which projects contain Cloud Storage buckets with regulated data. Apply the restrictNonCmekServices organization policy constraint to the identified projects or parent folder.
• C. Create a new key ring and key in the Cloud Key Management Service. Identify which projects contain Cloud Storage buckets with regulated data. Perform a write action on all existing objects in the buckets.
• D. Create a customer-managed encryption key. Change the encryption type in each Cloud Storage bucket configuration to the newly created key. Perform a write action on all existing objects in the buckets.

Correct answer: D

Explanation

The correct answer is D because it involves creating a customer-managed encryption key and updating the encryption type in the Cloud Storage bucket configuration, which is necessary for compliance. Additionally, performing a write action on existing objects is essential to apply the new encryption key to the data. Options A, B, and C do not fully address the need to write existing data under the new key, making them insufficient for meeting the compliance requirements.