ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Security Engineer All Questions

View all questions & answers for the Professional Cloud Security Engineer exam
Go to Exam

Exam Professional Cloud Security Engineer topic 1 question 235 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 235
Topic #: 1
[All Professional Cloud Security Engineer Questions]

You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS), in project “prj-a”, and the Cloud Storage bucket will use project “prj-b”. The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key, and you need to troubleshoot why.

What has caused the access issue?

  • A. A firewall rule prevents the key from being accessible.
  • B. Cloud HSM does not support Cloud Storage.
  • C. The CMEK is in a different project than the Cloud Storage bucket.
  • D. The CMEK is in a different region than the Cloud Storage bucket.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by MisterHairy at Nov. 21, 2023, 10:54 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
i_am_robot
Highly Voted 1 year, 6 months ago
Selected Answer: D
The access issue is caused by the fact that the CMEK is in a different region than the Cloud Storage bucket. According to the Google Cloud documentation, the location of the Cloud KMS key must match the storage location of the resource it is intended to encrypt. Since the CMEK resides in the region europe-west3 and the storage bucket is located in the region europe-west1, this mismatch is the reason why the key cannot be accessed when creating the bucket. Therefore, the correct answer is: D. The CMEK is in a different region than the Cloud Storage bucket
upvoted 5 times
...
MoAk
Most Recent 7 months, 2 weeks ago
Selected Answer: D
https://cloud.google.com/kms/docs/cmek#when-use-cmek
upvoted 1 times
...
Potatoe2023
1 year, 2 months ago
Selected Answer: D
D https://cloud.google.com/kms/docs/cmek#cmek_integrations
upvoted 2 times
...
irmingard_examtopics
1 year, 2 months ago
Selected Answer: D
You must create the Cloud KMS key ring in the same location as the data you intend to encrypt. For example, if your bucket is located in US-EAST1, any key ring used for encrypting objects in that bucket must also be created in US-EAST1. https://cloud.google.com/storage/docs/encryption/customer-managed-keys#restrictions
upvoted 4 times
...
Bettoxicity
1 year, 3 months ago
Selected Answer: C
CMEK Project Mismatch: By default, CMEKs can only be accessed by services within the same GCP project where the key resides (prj-a in this case). Your Cloud Storage bucket is in a different project (prj-b). Why not D?: CMEK Region Disparity: CMEKs can be accessed from any region within GCP, so the difference between europe-west3 (CMEK location) and europe-west1 (bucket location) shouldn't be the primary cause.
upvoted 1 times
...
dija123
1 year, 4 months ago
Selected Answer: C
By default, Google Cloud projects operate in isolation. Resources in one project cannot automatically access resources in another project, even within the same region. This security principle prevents unauthorized access to sensitive data or actions.
upvoted 1 times
...
NaikMN
1 year, 7 months ago
D https://cloud.google.com/sql/docs/mysql/cmek
upvoted 1 times
dija123
1 year, 3 months ago
this link is about sql not Cloud storage, Cloud Storage with CMEK is more flexible regarding regions.
upvoted 1 times
...
...
MisterHairy
1 year, 7 months ago
Selected Answer: D
The correct answer is D. The CMEK is in a different region than the Cloud Storage bucket. When you use a customer-managed encryption key (CMEK) to secure a Cloud Storage bucket, the key and the bucket must be located in the same region. In this case, the key is in europe-west3 and the bucket is in europe-west1, which is why you’re unable to access the key.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel