ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Developer All Questions

View all questions & answers for the Professional Cloud Developer exam
Go to Exam

Exam Professional Cloud Developer topic 1 question 173 discussion

Actual exam question from Google's Professional Cloud Developer
Question #: 173
Topic #: 1
[All Professional Cloud Developer Questions]

Your company has a new security initiative that requires all data stored in Google Cloud to be encrypted by customer-managed encryption keys. You plan to use Cloud Key Management Service (KMS) to configure access to the keys. You need to follow the "separation of duties" principle and Google-recommended best practices. What should you do? (Choose two.)

  • A. Provision Cloud KMS in its own project.
  • B. Do not assign an owner to the Cloud KMS project.
  • C. Provision Cloud KMS in the project where the keys are being used.
  • D. Grant the roles/cloudkms.admin role to the owner of the project where the keys from Cloud KMS are being used.
  • E. Grant an owner role for the Cloud KMS project to a different user than the owner of the project where the keys from Cloud KMS are being used.
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️
by zellck at Dec. 15, 2022, 2:01 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
zellck
Highly Voted 1 year, 6 months ago
Selected Answer: AB
AB should be correct instead. https://cloud.google.com/kms/docs/separation-of-duties#using_separate_project Instead, to allow for a separation of duties, you could run Cloud KMS in its own project, for example your-key-project. Then, depending on the strictness of your separation requirements, you could either: - (recommended) Create your-key-project without an owner at the project level, and designate an Organization Admin granted at the organization-level. Unlike an owner, an Organization Admin can't manage or use keys directly. They are restricted to setting IAM policies, which restrict who can manage and use keys. Using an organization-level node, you can further restrict permissions for projects in your organization.
upvoted 6 times
...
__rajan__
Most Recent 9 months, 2 weeks ago
Selected Answer: AB
AB is correct.
upvoted 2 times
__rajan__
9 months, 2 weeks ago
AE is correct as E provide separation of duty.
upvoted 2 times
...
...
mrvergara
1 year, 5 months ago
Selected Answer: AE
To follow Google-recommended best practices, I would recommend choosing options A and E: A. Provision Cloud KMS in its own project - this helps to ensure that the management of encryption keys is isolated and separate from other projects in your Google Cloud organization. E. Grant an owner role for the Cloud KMS project to a different user than the owner of the project where the keys from Cloud KMS are being used - this follows the "separation of duties" principle and helps to ensure that the management of encryption keys is not tied to the project where the keys are being used.
upvoted 3 times
...
TNT87
1 year, 6 months ago
Selected Answer: AB
Answer A, B
upvoted 3 times
...
micoams
1 year, 6 months ago
Selected Answer: AB
As per the docs, https://cloud.google.com/kms/docs/separation-of-duties#using_separate_project 1. The KMS should be in its own project 2. Ideally, you should not assign an owner to the KMS project
upvoted 4 times
zellck
1 year, 6 months ago
For E, the owner of the KMS project is different from the project where keys from Cloud KMS is used.
upvoted 1 times
...
zellck
1 year, 6 months ago
After reading the documentation again, agree with you on AB. https://cloud.google.com/kms/docs/separation-of-duties#using_separate_project (recommended) Create your-key-project without an owner at the project level, and designate an Organization Admin granted at the organization-level. Unlike an owner, an Organization Admin can't manage or use keys directly. They are restricted to setting IAM policies, which restrict who can manage and use keys. Using an organization-level node, you can further restrict permissions for projects in your organization.
upvoted 4 times
...
...
zellck
1 year, 6 months ago
Selected Answer: AE
AE is the answer. https://cloud.google.com/kms/docs/separation-of-duties#using_separate_project Cloud KMS could be run in an existing project, for example your-project, and this might be sensible if the data being encrypted with keys in Cloud KMS is stored in the same project. However, any user with owner access on that project is then also able to manage (and perform cryptographic operations with) keys in Cloud KMS in that project. This is because the keys themselves are owned by the project, of which the user is an owner. Instead, to allow for a separation of duties, you could run Cloud KMS in its own project, for example your-key-project.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel