In the event of a compromised encryption key stored in Cloud Key Management Service (Cloud KMS), what steps should be taken to re-encrypt all CMEK-protected Cloud Storage data with a new key, delete the compromised key, and ensure future objects are protected with CMEK encryption?

Real Exam

Rotate the Cloud KMS key version and continue using the same Cloud Storage bucket.

11.1%

Create a new Cloud KMS key and set it as the default CMEK key on the existing Cloud Storage bucket.

22.2%

Create a new Cloud KMS key and a new Cloud Storage bucket, then copy all objects from the old bucket to the new one specifying the new Cloud KMS key in the copy command.

11.1%

Create a new Cloud KMS key and a new Cloud Storage bucket configured to use the new key as the default CMEK key, then copy all objects from the old bucket to the new bucket without specifying a key.

55.6%

Google Professional Data Engineer

Get started today

Comments

In the event of a compromised encryption key stored in Cloud Key Management Service (Cloud KMS), what steps should be taken to re-encrypt all CMEK-protected Cloud Storage data with a new key, delete the compromised key, and ensure future objects are protected with CMEK encryption?