Answer-first summary for fast verification
Answer: Create a new BigQuery table with customer-managed encryption keys (CMEK), and migrate the data from the old BigQuery table.
The correct answer is **B**. Creating a new BigQuery table with customer-managed encryption keys (CMEK) ensures data at rest is encrypted using keys from a centralized Cloud KMS project, complying with the new policy. - **Option A** is incorrect because Dataflow is for processing data, not managing encryption keys for BigQuery. - **Option C** is incorrect as it doesn't ensure BigQuery data at rest uses Cloud KMS keys. - **Option D** is partially correct but doesn't explicitly mention using keys from a centralized Cloud KMS project, missing the policy's key requirement.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have a BigQuery table that receives data from a Pub/Sub subscription, encrypted with a Google-managed key. A new policy requires using keys from a centralized Cloud KMS project for data at rest encryption in BigQuery. How should you comply?
A
Use Cloud KMS encryption key with Dataflow to ingest the existing Pub/Sub subscription to the existing BigQuery table.
B
Create a new BigQuery table with customer-managed encryption keys (CMEK), and migrate the data from the old BigQuery table.
C
Create a new Pub/Sub topic with CMEK and use the existing BigQuery table with Google-managed encryption key.
D
Create a new BigQuery table and Pub/Sub topic with customer-managed encryption keys (CMEK), and migrate the data from the old BigQuery table.
No comments yet.