Google Cloud Professional Cloud Security Engineer — Question 152

You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS), in project “prj-a”, and the Cloud Storage bucket will use project “prj-b”. The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key, and you need to troubleshoot why.

What has caused the access issue?

Answer options

• A. A firewall rule prevents the key from being accessible.
• B. Cloud HSM does not support Cloud Storage.
• C. The CMEK is in a different project than the Cloud Storage bucket.
• D. The CMEK is in a different region than the Cloud Storage bucket.

Correct answer: D

Explanation

The correct answer is D because the CMEK must be in the same region as the Cloud Storage bucket for access to work. Options A and B are incorrect because firewall rules and compatibility do not affect the CMEK's accessibility in this scenario. Option C is also not correct as access issues arise due to regional discrepancies, not project differences.