Explanation:
To comply with the request to use customer-managed encryption keys for encrypting sensitive PII data in a cloud storage bucket, you should:
Incorrect options include selecting a Customer-supplied key in the bucket settings, which is not an available option, and using gsutil with the --encryption-key flag, which is not a valid flag for this purpose.
Ultimate access to all questions.
No comments yet.
Your company is planning to store sensitive PII data in a cloud storage bucket. The compliance department prefers not to use Google-managed keys for encrypting this sensitive PII data and has requested that all new objects uploaded to this bucket be encrypted using customer-managed encryption keys. Which actions should you take? (Select Three)
A
Modify .boto configuration to include encryption_key = [KEY_RESOURCE] when uploading objects to bucket.
B
In the bucket advanced settings, select the Customer-managed key and then select a Cloud KMS encryption key.
C
Use gsutil with --encryption-key=[ENCRYPTION_KEY] when uploading objects to the bucket.
D
Use gsutil with -o "GSUtil:encryption_key=[KEY_RESOURCE]" when uploading objects to the bucket.
E
In the bucket advanced settings, select the Customer-supplied key and then select a Cloud KMS encryption key.