Google Cloud Professional Cloud Security Engineer — Question 324

Your organization operates in a highly regulated industry and needs to implement strict controls around temporary access to sensitive Google Cloud resources. You have been using Access Approval to manage this access, but your compliance team has mandated the use of a custom signing key. Additionally, they require that the key be stored in a hardware security module (HSM) located outside Google Cloud. You need to configure Access Approval to use a custom signing key that meets the compliance requirements. What should you do?

Answer options

• A. Create a new asymmetric signing key in Cloud Key Management System (Cloud KMS) using a supported algorithm and grant the Access Approval service account the IAM signerVerifier role on the key.
• B. Export your existing Access Approval signing key as a PEM file. Upload the file to your external HSM and reconfigure Access Approval to use the key from the HSM.
• C. Create a signing key in your external HSM. Integrate the HSM with Cloud External Key Manager (Cloud EKM) and make the key available within your project. Configure Access Approval to use this key.
• D. Create a new asymmetric signing key in Cloud KMS and configure the key with a rotation period of 30 days. Add the corresponding public key to your external HSM.

Correct answer: C

Explanation

The correct answer is C because it directly addresses the need to create a signing key in the external HSM and integrate it with Cloud External Key Manager, allowing Access Approval to utilize it in compliance with the requirements. Option A is incorrect as it does not meet the external HSM requirement, B is wrong because exporting the key does not align with compliance needs, and D fails to use the external HSM as mandated.