Answer-first summary for fast verification
Answer: Create a new Cloud KMS key. Create a new Cloud Storage bucket configured to use the new key as the default CMEK key. Copy all objects from the old bucket to the new bucket without specifying a key.
The correct answer is D. Creating a new Cloud KMS key and a new Cloud Storage bucket configured to use the new key as the default CMEK key ensures that all objects will be encrypted with the new key. By copying all objects from the old bucket to the new bucket without specifying a key, the default CMEK key is used for re-encryption. This process ensures consistent encryption and reduces the risk of objects getting written without CMEK protection in the future. Simply rotating the key (option A) does not re-encrypt existing data.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You have discovered that one of your encryption keys stored in Google Cloud Key Management Service (KMS) has been exposed. To mitigate this security breach, you need to re-encrypt all your Cloud Storage data that was protected by this compromised customer-managed encryption key (CMEK). Additionally, you intend to ensure that future objects written to Cloud Storage have CMEK protection to minimize the risk of unprotected data. What steps should you take to achieve this?
A
Rotate the Cloud KMS key version. Continue to use the same Cloud Storage bucket.
B
Create a new Cloud KMS key. Set the default CMEK key on the existing Cloud Storage bucket to the new one.
C
Create a new Cloud KMS key. Create a new Cloud Storage bucket. Copy all objects from the old bucket to the new one bucket while specifying the new Cloud KMS key in the copy command.
D
Create a new Cloud KMS key. Create a new Cloud Storage bucket configured to use the new key as the default CMEK key. Copy all objects from the old bucket to the new bucket without specifying a key.