PROFESSIONAL-CLOUD-DEVELOPER · Question #190
PROFESSIONAL-CLOUD-DEVELOPER Question #190: Real Exam Question with Answer & Explanation
The correct answer is A: Provision Cloud KMS in its own project.. https://cloud.google.com/kms/docs/separation-of-duties#using_separate_project Instead, to allow for a separation of duties, you could run Cloud KMS in its own project, for example your-key-project. Then, depending on the strictness of your separation requirements, you could eithe
Question
Your company has a new security initiative that requires all data stored in Google Cloud to be encrypted by customer-managed encryption keys. You plan to use Cloud Key Management Service (KMS) to configure access to the keys. You need to follow the "separation of duties" principle and Google-recommended best practices. What should you do? (Choose two.)
Options
- AProvision Cloud KMS in its own project.
- BDo not assign an owner to the Cloud KMS project.
- CProvision Cloud KMS in the project where the keys are being used.
- DGrant the roles/cloudkms.admin role to the owner of the project where the keys from Cloud KMS
- EGrant an owner role for the Cloud KMS project to a different user than the owner of the project
Explanation
https://cloud.google.com/kms/docs/separation-of-duties#using_separate_project Instead, to allow for a separation of duties, you could run Cloud KMS in its own project, for example your-key-project. Then, depending on the strictness of your separation requirements, you could either: - (recommended) Create your-key-project without an owner at the project level, and designate an Organization Admin granted at the organization-level. Unlike an owner, an Organization Admin can't manage or use keys directly. They are restricted to setting IAM policies, which restrict who can manage and use keys. Using an organization-level node, you can further restrict permissions for projects in your organization.
Topics
Community Discussion
No community discussion yet for this question.