Google Cloud Professional Data Engineer — Question 160

One of your encryption keys stored in Cloud Key Management Service (Cloud KMS) was exposed. You need to re- encrypt all of your CMEK-protected Cloud Storage data that used that key, and then delete the compromised key. You also want to reduce the risk of objects getting written without customer-managed encryption key (CMEK) protection in the future. What should you do?

Answer options

• A. Rotate the Cloud KMS key version. Continue to use the same Cloud Storage bucket.
• B. Create a new Cloud KMS key. Set the default CMEK key on the existing Cloud Storage bucket to the new one.
• C. Create a new Cloud KMS key. Create a new Cloud Storage bucket. Copy all objects from the old bucket to the new one bucket while specifying the new Cloud KMS key in the copy command.
• D. Create a new Cloud KMS key. Create a new Cloud Storage bucket configured to use the new key as the default CMEK key. Copy all objects from the old bucket to the new bucket without specifying a key.

Correct answer: D

Explanation

The correct answer is D because it involves creating a new Cloud KMS key and a new Cloud Storage bucket that uses the new key as the default CMEK key, ensuring that all future objects are protected. Options A and B do not adequately address the need to remove the compromised key or ensure CMEK protection for future writes. Option C, while it does create a new key and bucket, incorrectly requires specifying the new key during the copy operation, which is not necessary if the new bucket is already set as the default CMEK key.