GCP Professional Cloud Security Engineer Practice Question
Your security team must ensure that encryption keys used for a new Cloud Storage bucket remain exclusively in the company's on-premises HSM cluster. You have deployed the vendor's Cloud External Key Manager (EKM) connector and obtained the key's URI (ekm://…). However, when you try to create the first symmetric CryptoKeyVersion in Cloud KMS with protection level EXTERNAL and the external_key_uri field set to that URI, the request fails with the error message:
"PERMISSION_DENIED: external key URI is not allowed by any EkmConnection".
Which prerequisite action in Google Cloud did you most likely omit, causing this error?
Grant the Cloud KMS service account the CryptoKey Encrypter/Decrypter role on the on-premises HSM that holds the key.
Create an EkmConnection resource in the same Cloud KMS location that explicitly lists the external key's URI.
Enable Private Service Connect for the project and add the external key URI to a VPC Service Controls perimeter.
Import the external key material into Cloud KMS by creating an import job and using the key's wrapped representation.
Before Cloud KMS will accept an external_key_uri for a CryptoKeyVersion, the URI must appear in an EkmConnection resource that resides in the same location as the target key ring. The EkmConnection establishes the allowable external key URIs and the network routing information used by the EKM proxy. If the CryptoKeyVersion's external_key_uri is absent from every EkmConnection, Cloud KMS rejects the request with the PERMISSION_DENIED error shown. Importing key material would violate the requirement to keep the key off-cloud, network controls such as Private Service Connect are optional but do not satisfy the URI authorization check, and granting IAM roles on the HSM does not influence Cloud KMS's validation of the URI.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an EkmConnection in Google Cloud?
Open an interactive chat with Bash
Why is it necessary to create an EkmConnection in the same location as the target key ring?
Open an interactive chat with Bash
How does Cloud External Key Manager (EKM) differ from standard Cloud KMS?
Open an interactive chat with Bash
What is an EkmConnection in Google Cloud?
Open an interactive chat with Bash
How does Cloud External Key Manager (EKM) work with on-premises HSMs?
Open an interactive chat with Bash
What happens if the external_key_uri is missing from an EkmConnection?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .