🔥 3-day streak
Professional Cloud Security Engineer36 / 152
Question 36 of 152

A financial services company uses Cloud KMS to protect customer records. The security team requires that the engineers who manage the lifecycle of encryption keys (creating, rotating, and disabling keys) must NOT be able to use those keys to decrypt any data, enforcing separation of duties. The application service account only needs to perform cryptographic operations. How should you configure IAM to meet this requirement?

Reviewed for accuracy · Report an issueNext question