Google Cloud Professional Data Engineer — Question 232

You have a BigQuery table that ingests data directly from a Pub/Sub subscription. The ingested data is encrypted with a Google-managed encryption key. You need to meet a new organization policy that requires you to use keys from a centralized Cloud Key Management Service (Cloud KMS) project to encrypt data at rest. What should you do?

Answer options

• A. Use Cloud KMS encryption key with Dataflow to ingest the existing Pub/Sub subscription to the existing BigQuery table.
• B. Create a new BigQuery table by using customer-managed encryption keys (CMEK), and migrate the data from the old BigQuery table.
• C. Create a new Pub/Sub topic with CMEK and use the existing BigQuery table by using Google-managed encryption key.
• D. Create a new BigQuery table and Pub/Sub topic by using customer-managed encryption keys (CMEK), and migrate the data from the old BigQuery table.

Correct answer: B

Explanation

The correct answer is B because creating a new BigQuery table with customer-managed encryption keys (CMEK) allows you to comply with the new policy while ensuring that the data is encrypted using the required method. Options A and C do not address the requirement for CMEK, and option D, while it involves CMEK, is unnecessary since migrating data to a new table suffices to meet the policy.