Your organization operates in a strictly regulated environment and must enforce rigorous controls for temporary access to sensitive Google Cloud resources. While Access Approval is currently used, compliance now mandates the use of a custom signing key stored in an external hardware security module (HSM). How should you configure Access Approval to utilize a custom signing key that fulfills these compliance requirements?

Exam-Like

Create a new asymmetric signing key in Cloud Key Management System (Cloud KMS) using a supported algorithm and grant the Access Approval service account the IAM signerVerifier role on the key.

Export your existing Access Approval signing key as a PEM file. Upload the file to your external HSM and reconfigure Access Approval to use the key from the HSM.

Create a signing key in your external HSM. Integrate the HSM with Cloud External Key Manager (Cloud EKM) and make the key available within your project. Configure Access Approval to use this key.

Create a new asymmetric signing key in Cloud KMS and configure the key with a rotation period of 30 days. Add the corresponding public key to your external HSM.

Google Professional Cloud Security Engineer

Get started today

Comments