Answer-first summary for fast verification
Answer: Create a new Cloud KMS key and a new Cloud Storage bucket configured to use the new key as the default CMEK key, then copy all objects from the old bucket to the new bucket without specifying a key.
The correct approach involves creating a new Cloud KMS key to replace the compromised one, establishing a new Cloud Storage bucket with the new key as the default CMEK key to automatically encrypt new objects, and transferring all existing objects to the new bucket without specifying a key to ensure they are re-encrypted with the new key. This method is efficient and secure, avoiding the complexities and potential risks associated with the other options. Option A is insufficient as rotating the key version doesn't address the compromise of the key itself. Option B fails to re-encrypt existing objects. Option C, while effective, is unnecessarily complex compared to the simplicity and effectiveness of Option D.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
In the event of a compromised encryption key stored in Cloud Key Management Service (Cloud KMS), what steps should be taken to re-encrypt all CMEK-protected Cloud Storage data with a new key, delete the compromised key, and ensure future objects are protected with CMEK encryption?
A
Rotate the Cloud KMS key version and continue using the same Cloud Storage bucket.
B
Create a new Cloud KMS key and set it as the default CMEK key on the existing Cloud Storage bucket.
C
Create a new Cloud KMS key and a new Cloud Storage bucket, then copy all objects from the old bucket to the new one specifying the new Cloud KMS key in the copy command.
D
Create a new Cloud KMS key and a new Cloud Storage bucket configured to use the new key as the default CMEK key, then copy all objects from the old bucket to the new bucket without specifying a key.
No comments yet.