B. Create a key with Cloud Key Management Service (KMS). Set the encryption key on the bucket to the Cloud KMS key.

B is OK https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys#add-object-key

https://cloud.google.com/storage/docs/encryption/customer-managed-keys#key-rotation

It's B, off course

https://cloud.google.com/storage/docs/encryption/customer-managed-keys#key-rotation

The following restrictions apply when using customer-managed encryption keys: You cannot encrypt an object with a customer-managed encryption key by updating the object's metadata. Include the key as part of a rewrite of the object instead. gcloud storage uses the objects update command to set encryption keys on objects, but the command rewrites the object as part of the request. this makes rotating keys difficult

Probably B: https://cloud.google.com/storage/docs/encryption/customer-managed-keys#key-replacement

It says customer wants to manage the rotation not the supplying of key. Hence B not D. Seen some people say with customer managed you cannot rotate but this document suggests you can https://cloud.google.com/storage/docs/encryption/customer-managed-keys#key-rotation.

B does not allow to rotate assymetric key. https://cloud.google.com/kms/docs/key-rotation => Cloud Key Management Service does not support automatic rotation of asymmetric keys. See Considerations for asymmetric keys below. I go for D.

B. Create a key with Cloud Key Management Service (KMS). Set the encryption key on the bucket to the Cloud KMS key. To rotate the encryption key used to encrypt data in a Cloud Storage bucket, it is recommended to use Cloud KMS. You can create a new key version, set it as the primary version, and update the bucket's default KMS key to the new key version. This allows you to rotate the encryption key while still allowing access to the data. You can then process the data in Dataproc while the encryption key is being rotated. This approach provides security and compliance with regulations, as well as easy key rotation without disrupting access to data.

Your organization has stored sensitive data in a Cloud Storage bucket. For regulatory reasons, your company must be able to rotate the encryption key used to encrypt the data in the bucket. The data will be processed in Dataproc. You want to follow Google-recommended practices for security. What should you do? A. Create a key with Cloud Key Management Service (KMS). Encrypt the data using the encrypt method of Cloud KMS. B. Create a key with Cloud Key Management Service (KMS). Set the encryption key on the bucket to the Cloud KMS key. C. Generate a GPG key pair. Encrypt the data using the GPG key. Upload the encrypted data to the bucket. D. Generate an AES-256 encryption key. Encrypt the data in the bucket using the customer-supplied encryption keys feature.

B is the correct answer, we can encrypt the data in the bucket using CMEK. And the key can be rotated as per requirement. https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys#add-object-key https://cloud.google.com/storage/docs/samples/storage-rotate-encryption-key#storage_rotate_encryption_key-python

B is ok

B is ok

B. rotation and dataproc ... trendmicro talk about this in https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/Dataproc/enable-encryption-with-cmks-for-dataproc-clusters.html Ensure that your Google Cloud Dataproc clusters on Compute Engine are encrypted with Customer-Managed Keys (CMKs) in order to control the cluster data encryption/decryption process. You can create and manage your own Customer-Managed Keys (CMKs) with Cloud Key Management Service (Cloud KMS). Cloud KMS provides secure and efficient encryption key management, controlled key rotation, and revocation mechanisms. This rule resolution is part of the Conformity Security & Compliance tool for GCP.

As per question: " your company must be able to rotate the encryption key" It is easily possible with KMS: https://cloud.google.com/kms/docs/rotating-keys#kms-create-key-rotation-schedule-gcloud

"Your company must be able to rotate the encryption key" is the requirement which eliminates CMEK and why you need a CSEK. You have to use a boto config file to do this and is part of one of the labs.