Google Sample Question 2 of 27

One of your encryption keys stored in Cloud Key Management Service (Cloud KMS) was exposed. You need to re-encrypt all of your CMEK-protected Cloud Storage data that used that key, and then delete the compromised key. You also want to reduce the risk of objects getting written without customer-managed encryption key (CMEK) protection in the future. What should you do?

Source: Google Cloud OFFICIAL

Official sample question published by Google Cloud. WiseOwlLearns is not affiliated with Google LLC.

All explanations and Option Analyzer™ content are generated by WiseOwlLearns and are not endorsed by Google Cloud.

A Rotate the Cloud KMS key version. Continue to use the same Cloud Storage bucket.
B Create a new Cloud KMS key. Set the default CMEK key on the existing Cloud Storage bucket to the new one.
C Create a new Cloud KMS key. Create a new Cloud Storage bucket. Copy all objects from the old bucket to the new one bucket while specifying the new Cloud KMS key in the copy command.
D Create a new Cloud KMS key. Create a new Cloud Storage bucket configured to use the new key as the default CMEK key. Copy all objects from the old bucket to the new bucket without specifying a key. ✓ Correct
🦉 Explanation by WiseOwl Tutor™ — not endorsed by Google

A Is not correct because existing data will not automatically be re-encrypted just by rotating the key. B is not correct because only newly written data will use the new key; existing data will still use the old key. C is not correct because although it works, similar to the correct answer, but doesn't reduce risk of writing objects without CMEK as requested in the question (since bucket default CMEK key not set). D Is correct because new bucket with CMEK will ensure that any data subsequently written to it (including the existing data being copied from the old bucket) will be protected with the default key.

Ready to practice?

These 27 official sample questions are free to practice on WiseOwlLearns — no account required. Get real-time tutoring from WiseOwl Tutor™ and step-by-step elimination reasoning from Option Analyzer™.

Start Practicing Free View Professional Data Engineer Course →