Google Associate Cloud Engineer
Get started today
Ultimate access to all questions.
Your company stores sensitive PII data in a cloud storage bucket, currently encrypted with Google-managed keys. The compliance department requires all current and future objects to be encrypted with customer-managed encryption keys, with minimal effort. What is the best approach?
Your company stores sensitive PII data in a cloud storage bucket, currently encrypted with Google-managed keys. The compliance department requires all current and future objects to be encrypted with customer-managed encryption keys, with minimal effort. What is the best approach?
Explanation:
The correct approach involves two steps: First, change the bucket encryption to use the Customer-managed key in the bucket's advanced settings to ensure all new objects are encrypted with this key. Second, rewrite all existing objects using gsutil rewrite to encrypt them with the new Customer-managed key. This method satisfies the compliance requirements by ensuring both new and existing objects are encrypted with customer-managed keys. Other options either do not meet the requirements or involve unnecessary steps like deleting and re-uploading objects. Reference: Google Cloud Storage Encryption.