You want data on Compute Engine disks to be encrypted at rest with keys managed by Cloud Key Management Service (KMS)
Cloud Identity and Access Management (IAM) permissions to these keys must be managed in a grouped way because the permissions should be the same for all keys.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
To encrypt data at rest on Compute Engine disks with keys managed by Cloud KMS, you need to create a KeyRing and one or more Keys. A KeyRing is a container for keys, and a Key is the actual encryption key. IAM permissions can be managed at the KeyRing or Key level.
In this case, the requirement is to manage IAM permissions in a grouped way because the permissions should be the same for all keys. Therefore, option B, which involves creating a single KeyRing for all persistent disks and all Keys in this KeyRing, and managing the IAM permissions at the KeyRing level, is the correct choice.
Option A, which involves managing IAM permissions at the Key level, would require assigning permissions to each key individually, which would not be efficient if you want to manage permissions in a grouped way.
Option C, which involves creating a KeyRing per persistent disk with each KeyRing containing a single Key, would result in managing IAM permissions at the Key level for each KeyRing. This approach would not allow you to group permissions together for multiple disks.
Option D, which involves creating a KeyRing per persistent disk and managing the IAM permissions at the KeyRing level, would mean managing IAM permissions for each KeyRing, which would not allow you to group permissions together for multiple disks.
Therefore, option B is the correct choice as it involves creating a single KeyRing for all persistent disks and all Keys in this KeyRing, and managing the IAM permissions at the KeyRing level.