GCP Professional Cloud Architect Practice Question
Your company uses a customer-managed symmetric encryption key stored in Cloud KMS to protect objects in a production Cloud Storage bucket. A Compute Engine service account must upload and download objects that the bucket automatically encrypts with this key. Compliance mandates that only the central Security team can rotate, disable, or otherwise administer the key. Which single IAM role should you grant to the service account on the specific CryptoKey to satisfy these requirements?
Grant roles/cloudkms.cryptoKeyEncrypterDecrypter on the CryptoKey.
Grant roles/owner on the project that contains the key ring.
Grant roles/storage.objectAdmin on the Cloud Storage bucket.
Granting the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter) on the individual CryptoKey lets the service account call Encrypt and Decrypt-exactly what it needs to read and write data protected by the key. The role does not include administrative permissions such as update, disable, destroy, or setIamPolicy, so key management remains exclusively with the Security team. Granting roles/cloudkms.admin or project-level Owner would violate least-privilege by allowing key administration. Granting storage-specific roles does not give the service account the cryptographic permissions required to use the CMEK.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the roles/cloudkms.cryptoKeyEncrypterDecrypter role used for?
Open an interactive chat with Bash
What are the risks of granting roles/cloudkms.admin to a service account?
Open an interactive chat with Bash
Why wouldn't roles/storage.objectAdmin be sufficient for using a customer-managed encryption key in Cloud Storage?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .