Examtopics

コメント(5)

• 正解だと思う選択肢: AB

  AB should be correct instead.

  https://cloud.google.com/kms/docs/separation-of-duties#using_separate_project Instead, to allow for a separation of duties, you could run Cloud KMS in its own project, for example your-key-project. Then, depending on the strictness of your separation requirements, you could either:

  • (recommended) Create your-key-project without an owner at the project level, and designate an Organization Admin granted at the organization-level. Unlike an owner, an Organization Admin can't manage or use keys directly. They are restricted to setting IAM policies, which restrict who can manage and use keys. Using an organization-level node, you can further restrict permissions for projects in your organization.
  👍 5

  zellck2022/12/20
• 正解だと思う選択肢: AB

  As per the docs, https://cloud.google.com/kms/docs/separation-of-duties#using_separate_project

  1. The KMS should be in its own project
  2. Ideally, you should not assign an owner to the KMS project
  👍 3

  micoams2022/12/18
• 正解だと思う選択肢: AE

  AE is the answer.

  https://cloud.google.com/kms/docs/separation-of-duties#using_separate_project Cloud KMS could be run in an existing project, for example your-project, and this might be sensible if the data being encrypted with keys in Cloud KMS is stored in the same project.

  However, any user with owner access on that project is then also able to manage (and perform cryptographic operations with) keys in Cloud KMS in that project. This is because the keys themselves are owned by the project, of which the user is an owner.

  Instead, to allow for a separation of duties, you could run Cloud KMS in its own project, for example your-key-project.

  👍 2

  zellck2022/12/15