Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Create a signing key in your external HSM. Integrate the HSM with Cloud External Key Manager (Cloud EKM) and make the key available within your project. Configure Access Approval to use this key.

The question requires configuring Access Approval with a custom signing key stored in an external HSM outside Google Cloud. Option C is correct because it involves creating the signing key directly in the external HSM, integrating it with Cloud EKM (External Key Manager) to make it available in the Google Cloud project, and then configuring Access Approval to use this key. This approach ensures the key never leaves the external HSM, meeting the compliance requirement. Option A uses Cloud KMS (within Google Cloud), which violates the external HSM requirement. Option B attempts to export and upload the key to an external HSM, but Access Approval does not support using keys from external HSMs via PEM file upload; it requires integration through Cloud EKM. Option D also uses Cloud KMS and adds the public key to the external HSM, but the private key remains in Google Cloud, failing the compliance mandate. The community discussion unanimously supports C, with upvoted comments emphasizing that only C fulfills the requirement of an external HSM key.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

Your organization operates in a strictly regulated environment and must enforce rigorous controls for temporary access to sensitive Google Cloud resources. While Access Approval is currently used, compliance now mandates the use of a custom signing key stored in an external hardware security module (HSM). How should you configure Access Approval to utilize a custom signing key that fulfills these compliance requirements?

Create a new asymmetric signing key in Cloud Key Management System (Cloud KMS) using a supported algorithm and grant the Access Approval service account the IAM signerVerifier role on the key.

0.0%

Export your existing Access Approval signing key as a PEM file. Upload the file to your external HSM and reconfigure Access Approval to use the key from the HSM.

0.0%

Create a signing key in your external HSM. Integrate the HSM with Cloud External Key Manager (Cloud EKM) and make the key available within your project. Configure Access Approval to use this key.

50.0%

Create a new asymmetric signing key in Cloud KMS and configure the key with a rotation period of 30 days. Add the corresponding public key to your external HSM.

50.0%