Answer-first summary for fast verification
Answer: 1. In the bucket advanced settings, select the Customer-managed key and then select a Cloud KMS encryption key. 2. Rewrite all existing objects using gsutil rewrite to encrypt them with the new Customer-managed key.
The correct approach involves two steps: First, change the bucket encryption to use the Customer-managed key in the bucket's advanced settings to ensure all new objects are encrypted with this key. Second, rewrite all existing objects using `gsutil rewrite` to encrypt them with the new Customer-managed key. This method satisfies the compliance requirements by ensuring both new and existing objects are encrypted with customer-managed keys. Other options either do not meet the requirements or involve unnecessary steps like deleting and re-uploading objects. Reference: [Google Cloud Storage Encryption](https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys#add-default-key).
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your company stores sensitive PII data in a cloud storage bucket, currently encrypted with Google-managed keys. The compliance department requires all current and future objects to be encrypted with customer-managed encryption keys, with minimal effort. What is the best approach?
A
B
C
D
No comments yet.