Topic 1 Question 298
One of your encryption keys stored in Cloud Key Management Service (Cloud KMS) was exposed. You need to re- encrypt all of your CMEK-protected Cloud Storage data that used that key, and then delete the compromised key. You also want to reduce the risk of objects getting written without customer-managed encryption key (CMEK) protection in the future. What should you do?
Rotate the Cloud KMS key version. Continue to use the same Cloud Storage bucket.
Create a new Cloud KMS key. Set the default CMEK key on the existing Cloud Storage bucket to the new one.
Create a new Cloud KMS key. Create a new Cloud Storage bucket. Copy all objects from the old bucket to the new one bucket while specifying the new Cloud KMS key in the copy command.
Create a new Cloud KMS key. Create a new Cloud Storage bucket configured to use the new key as the default CMEK key. Copy all objects from the old bucket to the new bucket without specifying a key.
ユーザの投票
コメント(2)
- 正解だと思う選択肢: D
- New Key Creation: A new Cloud KMS key ensures a secure replacement for the compromised one.
- New Bucket: A separate bucket prevents potential conflicts with existing objects and configurations.
- Default CMEK: Setting the new key as default enforces encryption for all objects in the bucket, reducing the risk of unencrypted data.
- Copy Without Key Specification: Copying objects without specifying a key leverages the default key, simplifying the process and ensuring consistent encryption.
- Old Key Deletion: After copying, the compromised key can be safely deleted.
👍 2raaad2024/01/06 - 正解だと思う選択肢: D
Wrong: A - rotating external key doesn't trigger re-encryption of data already in GCS: https://cloud.google.com/kms/docs/rotate-key#rotate-external-coordinated C - Setting key during copy doesn't take care of objects that are later uploaded to the bucket, that will still use the default key
👍 1rahulvin2023/12/30
シャッフルモード