ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 3: Designing for Security and ComplianceSecurityKMSIAM
This question is part of a case study — click to read the full scenario(Case 16)

CASE STUDY: HealthSecure. 50M patient records. Legacy mainframe, on-prem SAN (100TB), .NET portal. Req: Modernize portal, secure hospital sharing, fast audits. CEO: Modern UX. CFO: Automate audits. CISO: Zero breaches. Tech: HIPAA, CMEK, audit logging, API gateway, DR (1h RPO/4h RTO). Constraints: No public DB IPs, Dev/Ops separation, US data only, mainframe stays on-prem via VPN.

To meet the 1-hour RPO and 4-hour RTO for the modernized portal database, which architecture should you implement?

View full case study page →

GCP PCA · Question 18 · Domain 3: Designing for Security and Compliance

CASE STUDY: HealthSecure. 50M patient records. Legacy mainframe, on-prem SAN (100TB), .NET portal. Req: Modernize portal, secure hospital sharing, fast audits. CEO: Modern UX. CFO: Automate audits. CISO: Zero breaches. Tech: HIPAA, CMEK, audit logging, API gateway, DR (1h RPO/4h RTO). Constraints: No public DB IPs, Dev/Ops separation, US data only, mainframe stays on-prem via VPN.

How should you implement Customer-Managed Encryption Keys (CMEK) while enforcing the strict separation of duties between Dev and Ops?

Answer options:

A.

Store keys in the application code repository.

B.

Create a dedicated KMS project managed by Security/Ops, and grant Encrypter/Decrypter roles to Dev service accounts.

C.

Give Devs Project Owner access so they can manage their own keys.

D.

Use Google-managed encryption keys instead.

How to approach this question

Apply IAM principles to KMS for separation of duties.

Full Answer

B.Create a dedicated KMS project managed by Security/Ops, and grant Encrypter/Decrypter roles to Dev service accounts.✓ Correct
Create a dedicated KMS project managed by Security/Ops, and grant Encrypter/Decrypter roles to Dev service accounts in the application project.
Centralizing KMS in a security project and granting only usage roles (Encrypter/Decrypter) to application service accounts enforces strict separation of duties.

Common mistakes

Putting keys in the same project as the application with broad permissions.
17All questions19

Practice the full GCP Professional Cloud Architect Practice Exam 2

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak...MediumQ02CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak...MediumQ03CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak...HardQ04CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak...MediumQ05CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak...Easy
View all 50 questions →