Google Associate Cloud Engineer
Get started today
Ultimate access to all questions.
Your company is planning to store sensitive PII data in a cloud storage bucket. The compliance department prefers not to use Google-managed keys for encrypting this sensitive PII data and has requested that all new objects uploaded to this bucket be encrypted using customer-managed encryption keys. Which actions should you take? (Select Three)
Your company is planning to store sensitive PII data in a cloud storage bucket. The compliance department prefers not to use Google-managed keys for encrypting this sensitive PII data and has requested that all new objects uploaded to this bucket be encrypted using customer-managed encryption keys. Which actions should you take? (Select Three)
Real Exam
Explanation:
To comply with the request to use customer-managed encryption keys for encrypting sensitive PII data in a cloud storage bucket, you should:
- Select the Customer-managed key in the bucket advanced settings and choose a Cloud KMS encryption key. This directly meets the compliance department's requirement by enabling the use of customer-managed keys for encryption.
- Use gsutil with the -o flag to specify the encryption key. This method allows for the encryption of objects with the specified customer-managed key during upload.
- Modify the .boto configuration to include the encryption key. This is an alternative method to ensure that gsutil uses the specified customer-managed key for encrypting objects upon upload.
Incorrect options include selecting a Customer-supplied key in the bucket settings, which is not an available option, and using gsutil with the --encryption-key flag, which is not a valid flag for this purpose.