Explanation:
The correct approach involves creating a new Cloud KMS key to replace the compromised one, establishing a new Cloud Storage bucket with the new key as the default CMEK key to automatically encrypt new objects, and transferring all existing objects to the new bucket without specifying a key to ensure they are re-encrypted with the new key. This method is efficient and secure, avoiding the complexities and potential risks associated with the other options. Option A is insufficient as rotating the key version doesn't address the compromise of the key itself. Option B fails to re-encrypt existing objects. Option C, while effective, is unnecessarily complex compared to the simplicity and effectiveness of Option D.
Ultimate access to all questions.
No comments yet.
In the event of a compromised encryption key stored in Cloud Key Management Service (Cloud KMS), what steps should be taken to re-encrypt all CMEK-protected Cloud Storage data with a new key, delete the compromised key, and ensure future objects are protected with CMEK encryption?
A
Rotate the Cloud KMS key version and continue using the same Cloud Storage bucket.
B
Create a new Cloud KMS key and set it as the default CMEK key on the existing Cloud Storage bucket.
C
Create a new Cloud KMS key and a new Cloud Storage bucket, then copy all objects from the old bucket to the new one specifying the new Cloud KMS key in the copy command.
D
Create a new Cloud KMS key and a new Cloud Storage bucket configured to use the new key as the default CMEK key, then copy all objects from the old bucket to the new bucket without specifying a key.