Google Cloud Professional Cloud Security Engineer — Question 246

You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS). Cloud Identity and Access
Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?

Answer options

• A. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the Key level.
• B. Create a single KeyRing for all persistent disks and all Keys in this KeyRing. Manage the IAM permissions at the KeyRing level.
• C. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the Key level.
• D. Create a KeyRing per persistent disk, with each KeyRing containing a single Key. Manage the IAM permissions at the KeyRing level.

Correct answer: B

Explanation

The correct answer is B because managing IAM permissions at the KeyRing level allows for uniform permission settings across all keys within the KeyRing, which is essential for consistency. Option A is incorrect because managing permissions at the Key level would not provide the grouped approach needed. Options C and D complicate the structure by creating separate KeyRings for each disk, which is unnecessary and does not align with the requirement for grouped permissions.