New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Google Professional Data Engineer Exam - Topic 5 Question 90 Discussion

Actual exam question for Google's Professional Data Engineer exam
Question #: 90
Topic #: 5
[All Professional Data Engineer Questions]

One of your encryption keys stored in Cloud Key Management Service (Cloud KMS) was exposed. You need to re-encrypt all of your CMEK-protected Cloud Storage data that used that key. and then delete the compromised key. You also want to reduce the risk of objects getting written without customer-managed encryption key (CMEK protection in the future. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: C

To re-encrypt all of your CMEK-protected Cloud Storage data after a key has been exposed, and to ensure future writes are protected with a new key, creating a new Cloud KMS key and a new Cloud Storage bucket is the best approach. Here's why option C is the best choice:

Re-encryption of Data:

By creating a new Cloud Storage bucket and copying all objects from the old bucket to the new bucket while specifying the new Cloud KMS key, you ensure that all data is re-encrypted with the new key.

This process effectively re-encrypts the data, removing any dependency on the compromised key.

Ensuring CMEK Protection:

Creating a new bucket and setting the new CMEK as the default ensures that all future objects written to the bucket are automatically protected with the new key.

This reduces the risk of objects being written without CMEK protection.

Deletion of Compromised Key:

Once the data has been copied and re-encrypted, the old key can be safely deleted from Cloud KMS, eliminating the risk associated with the compromised key.

Steps to Implement:

Create a New Cloud KMS Key:

Create a new encryption key in Cloud KMS to replace the compromised key.

Create a New Cloud Storage Bucket:

Create a new Cloud Storage bucket and set the default CMEK to the new key.

Copy and Re-encrypt Data:

Use the gsutil tool to copy data from the old bucket to the new bucket while specifying the new CMEK key:

gsutil -o 'GSUtil:gs_json_api_version=2' cp -r gs://old-bucket/* gs://new-bucket/

Delete the Old Key:

After ensuring all data is copied and re-encrypted, delete the compromised key from Cloud KMS.


Cloud KMS Documentation

Cloud Storage Encryption

Re-encrypting Data in Cloud Storage

by Tiera at Aug 03, 2024, 05:19 AM

Limited Time Offer

25%

Off

Get Premium Professional Data Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Britt
3 months ago
I agree with B, but isn't it a hassle to copy everything over?
upvoted 0 times
...
Tomoko
3 months ago
Option D sounds risky, not specifying a key could lead to issues.
upvoted 0 times
...
Melvin
4 months ago
Wait, why would you create a new bucket if you can just rotate the key?
upvoted 0 times
...
Malinda
4 months ago
I think option C is better, a new bucket adds extra security.
upvoted 0 times
...
Tresa
4 months ago
Definitely go with option B, it's the safest way to handle it.
upvoted 0 times
...
Kimberely
4 months ago
I'm a bit confused about whether we need a new bucket at all. Option D seems to suggest we can just copy without specifying a key, but that feels risky.
upvoted 0 times
...
Ruby
5 months ago
I practiced a similar question where we had to copy objects to a new bucket. I feel like option C might be the safest way to ensure everything is re-encrypted properly.
upvoted 0 times
...
Shonda
5 months ago
I think creating a new Cloud KMS key and setting it as the default for the existing bucket makes sense, but I wonder if that really protects against future risks.
upvoted 0 times
...
Azalee
5 months ago
I remember we discussed the importance of rotating keys, but I'm not sure if just rotating the key version is enough in this case.
upvoted 0 times
...
Haydee
5 months ago
Creating a new bucket and copying the data seems like the most thorough approach to address the issue. I'll probably go with that option.
upvoted 0 times
...
Tyra
5 months ago
I like the idea of creating a new bucket and copying the data over. That way, I can be sure the new key is being used for everything going forward.
upvoted 0 times
...
Rosita
5 months ago
I'm a bit confused on the difference between rotating the key version and creating a new key. I'll need to review the details on those options more closely.
upvoted 0 times
...
Mitsue
5 months ago
This seems like a tricky one. I'll need to carefully consider the options and think through the implications of each approach.
upvoted 0 times
...
Luke
5 months ago
Okay, let's see. I think the key here is to create a new CMEK key and then re-encrypt the data using that new key. That should help reduce the risk of future exposure.
upvoted 0 times
...
Ivette
5 months ago
This looks like a straightforward multiple-choice question about Truffle. I'm pretty confident I know the answer - Truffle is a framework for developing and deploying smart contracts, so I'll go with option A.
upvoted 0 times
...
Cory
2 years ago
I'm with Tracey on this one. Option B is the quickest way to get things back on track. Who has time to copy all that data, am I right?
upvoted 0 times
Adell
1 year ago
In this case, speed might be more important to minimize the risk of exposure.
upvoted 0 times
...
Precious
1 year ago
That's true, but it would take more time and effort to copy everything over.
upvoted 0 times
...
Shawnee
1 year ago
But wouldn't it be safer to create a new bucket and copy all the objects with the new key?
upvoted 0 times
...
Verlene
1 year ago
I agree, option B seems like the most efficient solution.
upvoted 0 times
...
...
Amie
2 years ago
Haha, I bet the guy who exposed the key is sweating right now! Anyway, I agree with Alethea, C is the safest choice.
upvoted 0 times
Arletta
2 years ago
Yeah, creating a new Cloud KMS key and a new Cloud Storage bucket while copying all objects with the new key sounds like the best way to go.
upvoted 0 times
...
Pearline
2 years ago
I think we should go with option C, it seems like the safest choice.
upvoted 0 times
...
...
Tracey
2 years ago
Option B seems simpler, just update the default CMEK key on the existing bucket. But I guess that doesn't address the risk of future objects being written without CMEK.
upvoted 0 times
...
Twana
2 years ago
That's a good point, Daniela. It might be worth considering creating a new bucket to reduce the risk of objects being written without CMEK protection in the future.
upvoted 0 times
...
Alethea
2 years ago
I think option C is the way to go. It's the most secure approach by creating a new bucket and re-encrypting the data with the new key.
upvoted 0 times
Meghan
2 years ago
I think creating a new bucket with a new key is the best way to ensure security.
upvoted 0 times
...
Jesusita
2 years ago
But wouldn't it be easier to just rotate the key with option A?
upvoted 0 times
...
Annita
2 years ago
I agree, option C seems like the safest choice.
upvoted 0 times
...
...
Daniela
2 years ago
But wouldn't it be safer to create a new Cloud Storage bucket and copy all objects with the new Cloud KMS key specified?
upvoted 0 times
...
Owen
2 years ago
I agree with Twana. It's important to rotate the compromised key and update the default CMEK key to ensure security.
upvoted 0 times
...
Twana
2 years ago
I think we should create a new Cloud KMS key and set it as the default CMEK key on the existing Cloud Storage bucket.
upvoted 0 times
...

Save Cancel