In a Cloud Storage bucket your company stores Personally Identifiable Information. All objects are currently encrypted by Google-managed keys. Your compliance department instructs you to change the encryption so that all present and future objects in this bucket are encrypted with Customer-managed encryption keys (CMEK). What should you do?