Google Professional Data Engineer
Get started today
Ultimate access to all questions.
You are working with a BigQuery table that currently ingests data directly from a Pub/Sub subscription. This ingested data is encrypted using a Google-managed encryption key. Your organization has introduced a new policy stipulating that all data at rest must be encrypted using keys from a centralized Cloud Key Management Service (Cloud KMS) project. How should you proceed to comply with this new organizational policy?
You are working with a BigQuery table that currently ingests data directly from a Pub/Sub subscription. This ingested data is encrypted using a Google-managed encryption key. Your organization has introduced a new policy stipulating that all data at rest must be encrypted using keys from a centralized Cloud Key Management Service (Cloud KMS) project. How should you proceed to comply with this new organizational policy?
Explanation:
Option D is the correct answer because it fully aligns with the organization's new policy of using keys from a centralized Cloud Key Management Service (Cloud KMS) project to encrypt data at rest. This option ensures that both the ingestion mechanism (Pub/Sub) and the storage component (BigQuery) use customer-managed encryption keys (CMEK). By creating a new Pub/Sub topic with CMEK and a new BigQuery table with CMEK, and then migrating the data from the old BigQuery table, the organization ensures that all data, both newly ingested and historical, is encrypted with the required keys from the centralized Cloud KMS. This meets the organization’s requirements comprehensively, covering both new and existing data.