Google Cloud Professional Cloud Security Engineer Practice Exam

How should IAM permissions for KMS keys be managed for Compute Engine disks?

• A. Assign IAM permissions at the individual key level
• B. Create a single KeyRing for all persistent disks and manage permissions there
• C. Use a service account to manage all key permissions
• D. Implement IAM permissions directly on each Compute Engine instance

The correct answer is: Create a single KeyRing for all persistent disks and manage permissions there

Managing IAM permissions for KMS (Key Management Service) keys in the context of Compute Engine disks is most efficiently done by creating a single KeyRing for all persistent disks and managing permissions there. This approach simplifies administration and enhances security by centralizing key management. When you create a KeyRing, you are able to group related keys together, which allows for streamlined IAM policy management. By applying permissions at the KeyRing level, any keys created within that KeyRing inherit the permissions set on it. This means that you can efficiently manage access to multiple keys that are used for similar purposes, such as encrypting various Compute Engine disks, without the need to set permissions individually for each key. Centralizing permissions in a KeyRing not only reduces the administrative overhead but also mitigates the risk of misconfigurations or inconsistent permission settings that might arise when managing permissions on an individual key basis. Furthermore, this approach aligns with best practices for managing cryptographic keys in a secure and organized manner. In contrast, setting IAM permissions at the individual key level can lead to complexity, especially if you have numerous keys. Using a service account for managing all key permissions can be beneficial, but it is not as efficient as utilizing a KeyRing for the entire set of related keys.