Google Cloud Professional Cloud Developer — Question 206

Your company has a new security initiative that requires all data stored in Google Cloud to be encrypted by customer-managed encryption keys. You plan to use Cloud Key Management Service (KMS) to configure access to the keys. You need to follow the "separation of duties" principle and Google-recommended best practices. What should you do? (Choose two.)

Answer options

• A. Provision Cloud KMS in its own project.
• B. Do not assign an owner to the Cloud KMS project.
• C. Provision Cloud KMS in the project where the keys are being used.
• D. Grant the roles/cloudkms.admin role to the owner of the project where the keys from Cloud KMS are being used.
• E. Grant an owner role for the Cloud KMS project to a different user than the owner of the project where the keys from Cloud KMS are being used.

Correct answer: A, B

Explanation

The correct answers, A and B, ensure that Cloud KMS is isolated in its own project and prevents any single user from having ownership over both the KMS and the keys, thus maintaining separation of duties. Options C and D violate best practices by either placing KMS in the same project as the keys or granting excessive permissions to the project owner. Option E, while it maintains separation, is not necessary if the KMS is in its own project.