Your organization has stored sensitive data in a Cloud Storage bucket. For regulatory reasons, your company must be able to rotate the encryption key used to encrypt the data in the bucket. The data will be processed in Dataproc. You want to follow Google-recommended practices for security. What should you do?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a key with Cloud Key Management Service (KMS). Set the encryption key on the bucket to the Cloud KMS key..
Why this is the answer
Setting the encryption key on the Cloud Storage bucket to a Cloud KMS key allows Google Cloud to manage the encryption and decryption of objects using the specified KMS key. This approach simplifies key rotation, as you can rotate the key directly within Cloud KMS, and Cloud Storage will automatically use the new key version for future operations while still being able to decrypt data encrypted with previous versions. This aligns with Google's recommended practices for managing encryption keys for data at rest. Encrypting data using the encrypt method of Cloud KMS requires manual encryption and decryption outside of Cloud Storage's native capabilities, which is less efficient and not the primary use case for bucket-level encryption. Generating a GPG key pair or an AES-256 key for customer-supplied encryption keys (CSEK) means your organization is responsible for managing the keys, including secure storage and rotation, which adds operational overhead and does not leverage the managed key rotation features of Cloud KMS.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed