GCP Professional Cloud Security Engineer Practice Question
A financial-services company stores incoming transaction files in a regional Cloud Storage bucket (us-central1) located in project B. The bucket is configured to use a customer-managed encryption key (CMEK) that resides in project C in the same region. Files are written to the bucket by a data-ingestion service account that already has the Storage Object Creator role on the bucket. During testing, every upload fails with the error "PERMISSION_DENIED: 400 Bad Request - could not encrypt; permission denied on Cloud KMS key." Which action will resolve the error while adhering to the principle of least privilege?
Grant the Storage Object Creator role on the bucket to the Cloud KMS service agent for project C (service-<PROJECT_C_NUMBER>@gcp-sa-cloudkms.iam.gserviceaccount.com).
Grant the Storage Admin role on the bucket to the data-ingestion service account.
Grant the Cloud KMS CryptoKey Encrypter/Decrypter role on the CMEK key to the Cloud Storage service agent for project B (service-<PROJECT_B_NUMBER>@gs-project-accounts.iam.gserviceaccount.com).
Grant the Cloud KMS Admin role on project C to the Cloud Storage service agent for project B.
Cloud Storage does not encrypt objects itself; instead it calls Cloud KMS on behalf of the project that owns the bucket. The service agent that performs this call is service-<PROJECT_B_NUMBER>@gs-project-accounts.iam.gserviceaccount.com. That service agent-not the user or workload identity that writes the object-must have permission to encrypt (and later decrypt) with the CMEK key. Granting the predefined role roles/cloudkms.cryptoKeyEncrypterDecrypter on the specific key to this service agent gives exactly the needed permissions (encrypt, decrypt, re-encrypt) without granting broader administrative rights. Adding storage permissions to the workload identity (Object Creator or Storage Admin) does not address the KMS authorization failure, and giving the service agent the Cloud KMS Admin role would exceed least-privilege requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a customer-managed encryption key (CMEK) in GCP?
Open an interactive chat with Bash
What is the Cloud Storage service agent, and why does it need permissions for CMEK keys?
Open an interactive chat with Bash
What is the principle of least privilege, and how does it apply to this scenario?
Open an interactive chat with Bash
What is a CMEK and how does it differ from Google-managed encryption keys?
Open an interactive chat with Bash
What is the role of the Cloud Storage service agent in this scenario?
Open an interactive chat with Bash
Why is the Cloud KMS CryptoKey Encrypter/Decrypter role considered the principle of least privilege here?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .