Google Cloud Professional Cloud Security Engineer Practice Exam

Why might you encounter access issues when creating a Cloud Storage bucket using a customer managed encryption key (CMEK) from a different project?

• A. The CMEK is stored in an on-premises environment
• B. The CMEK is in a different region than the Cloud Storage bucket
• C. The CMEK was not properly backed in HSM
• D. The Cloud Storage project has incorrect IAM roles assigned

The correct answer is: The CMEK is in a different region than the Cloud Storage bucket

When creating a Cloud Storage bucket that uses a customer-managed encryption key (CMEK), it's important to ensure that the CMEK is in the same region as the Cloud Storage bucket itself. If the CMEK is located in a different region, it cannot be accessed during the bucket creation process. Google Cloud's infrastructure requires that the encryption key and the data it encrypts reside in the same region to maintain performance, compliance, and security considerations. Regions are geographical areas where data centers are located, and key management services are designed to operate within the region's boundaries. Attempting to create a Cloud Storage bucket with a CMEK from a different region would lead to access issues, as the key would not be available for use. The other options revolve around scenarios that, while they may lead to access issues in different contexts, do not directly relate to the fundamental requirement that a CMEK must reside in the same region as the resource it secures. For example, storing the CMEK in an on-premises environment would cause access problems, but that situation doesn't pertain to the specific requirement regarding regional alignment. Similarly, issues with improper backing or IAM role assignments relate to different aspects of key management and access control, rather than the geographical constraints required by Google