GCP Professional Cloud Security Engineer Practice Question
Your security team mandates that every newly created secret be encrypted with a customer-managed key that is protected by Cloud HSM. Secrets will use the automatic (global) replication policy because workloads run world-wide. As a Cloud Security Engineer, what must you do to meet the requirement and keep the secrets usable by applications?
Rely on the default Google-managed encryption and enable Secret Manager "HSM protection" at the organization level; no Cloud KMS roles are necessary.
Configure Secret Manager to use a Cloud EKM key URI; the external key's geographic location is ignored when the replication policy is global.
Create an HSM-backed key in any single region, then reference it when you update existing secrets from Google-managed encryption to CMEK.
Create an HSM-backed symmetric key in the global Cloud KMS location and grant the Secret Manager service agent the Cloud KMS CryptoKey Encrypter/Decrypter role on that key before creating each secret.
With automatic replication, Secret Manager stores secret data in a global location. To use CMEK you must therefore supply a Cloud KMS key that also resides in the global location; otherwise Secret Manager rejects the request. Because secrets are encrypted and decrypted only through Secret Manager's service agent (service-PROJECT_NUMBER@gcp-sa-secretmanager.iam.gserviceaccount.com), that service account needs the roles/cloudkms.cryptoKeyEncrypterDecrypter role on the chosen key. Using a regional key, EKM, or attempting to switch to CMEK after versions exist will fail or leave data unprotected as required.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud HSM and how does it integrate with Cloud KMS?
Open an interactive chat with Bash
What is the significance of a global location in Cloud KMS?
Open an interactive chat with Bash
Why is the Secret Manager service agent granted the Encrypter/Decrypter role, and how does it function?
Open an interactive chat with Bash
What is Cloud HSM and how does it enhance security?
Open an interactive chat with Bash
What does it mean for a key to be stored in a 'global' location in Cloud KMS?
Open an interactive chat with Bash
How does the Secret Manager service agent interact with Cloud KMS keys?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .