Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Google Exam Professional Data Engineer Topic 3 Question 100 Discussion

Actual exam question for Google's Professional Data Engineer exam
Question #: 100
Topic #: 3
[All Professional Data Engineer Questions]

One of your encryption keys stored in Cloud Key Management Service (Cloud KMS) was exposed. You need to re-encrypt all of your CMEK-protected Cloud Storage data that used that key. and then delete the compromised key. You also want to reduce the risk of objects getting written without customer-managed encryption key (CMEK protection in the future. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: C

To re-encrypt all of your CMEK-protected Cloud Storage data after a key has been exposed, and to ensure future writes are protected with a new key, creating a new Cloud KMS key and a new Cloud Storage bucket is the best approach. Here's why option C is the best choice:

Re-encryption of Data:

By creating a new Cloud Storage bucket and copying all objects from the old bucket to the new bucket while specifying the new Cloud KMS key, you ensure that all data is re-encrypted with the new key.

This process effectively re-encrypts the data, removing any dependency on the compromised key.

Ensuring CMEK Protection:

Creating a new bucket and setting the new CMEK as the default ensures that all future objects written to the bucket are automatically protected with the new key.

This reduces the risk of objects being written without CMEK protection.

Deletion of Compromised Key:

Once the data has been copied and re-encrypted, the old key can be safely deleted from Cloud KMS, eliminating the risk associated with the compromised key.

Steps to Implement:

Create a New Cloud KMS Key:

Create a new encryption key in Cloud KMS to replace the compromised key.

Create a New Cloud Storage Bucket:

Create a new Cloud Storage bucket and set the default CMEK to the new key.

Copy and Re-encrypt Data:

Use the gsutil tool to copy data from the old bucket to the new bucket while specifying the new CMEK key:

gsutil -o 'GSUtil:gs_json_api_version=2' cp -r gs://old-bucket/* gs://new-bucket/

Delete the Old Key:

After ensuring all data is copied and re-encrypted, delete the compromised key from Cloud KMS.


Cloud KMS Documentation

Cloud Storage Encryption

Re-encrypting Data in Cloud Storage

Contribute your Thoughts:

Alita
28 days ago
Wait, so we're trying to keep our encryption keys from getting compromised? Shouldn't we just store them in a vault made of lead or something? That's the only way to be sure, right?
upvoted 0 times
...
Casey
29 days ago
Option A is a bit too risky in my opinion. Rotating the key is a good first step, but you really should create a new bucket to be on the safe side. Gotta keep that data locked down tight!
upvoted 0 times
Minna
5 days ago
I agree, creating a new bucket with a new Cloud KMS key is the safest option. Better to be safe than sorry when it comes to protecting sensitive data.
upvoted 0 times
...
Marylin
10 days ago
Option A is a bit too risky in my opinion. Rotating the key is a good first step, but you really should create a new bucket to be on the safe side. Gotta keep that data locked down tight!
upvoted 0 times
...
...
Isabelle
1 months ago
Haha, Option D is like the 'nuke it from orbit' approach. Create a whole new bucket just to be sure? That's some serious security paranoia right there!
upvoted 0 times
Mireya
5 days ago
Haha, Option D is like the 'nuke it from orbit' approach. Create a whole new bucket just to be sure? That's some serious security paranoia right there!
upvoted 0 times
...
Ma
8 days ago
B) Create a new Cloud KMS key. Set the default CMEK key on the existing Cloud Storage bucket to the new one.
upvoted 0 times
...
Ben
13 days ago
A) Rotate the Cloud KMS key version. Continue to use the same Cloud Storage bucket.
upvoted 0 times
...
...
Kati
1 months ago
That's a good point, Huey. It might be worth considering creating a new bucket to ensure a clean slate with the new key.
upvoted 0 times
...
Huey
2 months ago
But wouldn't it be safer to create a new Cloud Storage bucket and copy all objects with the new Cloud KMS key specified?
upvoted 0 times
...
Jeannine
2 months ago
Hmm, I like the idea of creating a new bucket in Option C. Better safe than sorry, you know? Gotta keep those encryption keys on a tight leash.
upvoted 0 times
Sue
20 days ago
Definitely. It's better to be cautious and make sure that all data is properly secured with the new key.
upvoted 0 times
...
Bette
22 days ago
That's true. It's important to take proactive measures to protect sensitive data, especially when encryption keys are involved.
upvoted 0 times
...
Annelle
26 days ago
I agree. Creating a new bucket and copying all objects with the new key seems like a secure way to handle the situation.
upvoted 0 times
...
Lucina
1 months ago
Option C sounds like a good plan. It's always better to be safe than sorry when it comes to encryption keys.
upvoted 0 times
...
...
Audra
2 months ago
I agree with Kati. It's important to rotate the compromised key and update the default CMEK key to prevent future risks.
upvoted 0 times
...
Kati
2 months ago
I think we should create a new Cloud KMS key and set it as the default CMEK key on the existing Cloud Storage bucket.
upvoted 0 times
...
Matthew
2 months ago
Option B seems the most straightforward. Rotate the key and update the existing bucket's default CMEK key - simple and efficient.
upvoted 0 times
Heike
24 days ago
Yes, it's crucial to protect sensitive data by regularly updating encryption keys.
upvoted 0 times
...
Delfina
27 days ago
Creating a new key and updating the bucket sounds like the best solution in this situation.
upvoted 0 times
...
Shaun
1 months ago
Option B seems the most straightforward. Rotate the key and update the existing bucket's default CMEK key - simple and efficient.
upvoted 0 times
...
Shakira
1 months ago
I agree, it's important to take quick action to secure the data.
upvoted 0 times
...
...

Save Cancel