How should you address encryption-at-rest for sensitive data while minimizing key management complexity?

Focusing on minimizing key management complexity while ensuring that sensitive data is encrypted at rest, the correct choice is to encrypt sensitive data with Cloud Key Management Service (KMS) and non-sensitive data with default encryption.

This approach offers a balanced solution by applying more stringent encryption measures only where necessary. Sensitive data, which requires a higher level of protection due to compliance and security concerns, is safeguarded using Cloud KMS. This service provides a centralized and integrated way to manage encryption keys, allowing for fine-grained control over how keys are created, destroyed, and accessed. Employing Cloud KMS for sensitive data ensures regulatory compliance and offers advanced features like key rotation and access controls.

On the other hand, non-sensitive data can utilize the default encryption mechanisms provided by Google Cloud. This method simplifies key management for this type of data because it does not necessitate customer-managed encryption keys, thus reducing the operational burden and complexity associated with managing multiple key versions, permissions, and lifecycle actions.

Using this hybrid approach of different encryption methodologies helps to effectively manage the security requirements of sensitive data without overwhelming resources with unnecessary complexity in key management for non-sensitive data.