You have discovered that one of your encryption keys stored in Google Cloud Key Management Service (KMS) has been exposed. To mitigate this security breach, you need to re-encrypt all your Cloud Storage data that was protected by this compromised customer-managed encryption key (CMEK). Additionally, you intend to ensure that future objects written to Cloud Storage have CMEK protection to minimize the risk of unprotected data. What steps should you take to achieve this?

Exam-Like

Rotate the Cloud KMS key version. Continue to use the same Cloud Storage bucket.

5.3%

Create a new Cloud KMS key. Set the default CMEK key on the existing Cloud Storage bucket to the new one.

18.4%

Create a new Cloud KMS key. Create a new Cloud Storage bucket. Copy all objects from the old bucket to the new one bucket while specifying the new Cloud KMS key in the copy command.

21.1%

Create a new Cloud KMS key. Create a new Cloud Storage bucket configured to use the new key as the default CMEK key. Copy all objects from the old bucket to the new bucket without specifying a key.

55.3%

Google Professional Data Engineer

Get started today

Comments