Scenario: One of your encryption keys in Cloud Key Management Service (Cloud KMS) was exposed. You need to re-encrypt all Cloud Storage data that used that key, and then delete the compromised key. You also want to prevent objects from being written without customer-managed encryption key (CMEK) protection in the future. Question: How should you re-encrypt the data, delete the compromised key, and ensure CMEK protection for future writes?