Question 126 of 500
Ensuring data protectionmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to ensure the service account has the Cloud KMS CryptoKey Decrypter role on the key, which applies to all key versions, including the old version used for encryption. This is because Cloud KMS evaluates IAM permissions at the key resource level, not per key version; when a key rotates, the old version remains active for decryption, but the service account’s existing role binding already covers it. On the Google Professional Cloud Security Engineer exam, this scenario tests your understanding that a 403 error after key rotation is rarely a permissions gap—it’s often a client library misconfiguration that explicitly references a disabled version ID. The common trap is assuming you need to reapply IAM roles after rotation, but the key-level binding persists. Remember the mnemonic: “Key-level, not version-level—your role covers the whole roll.”

PCSE Ensuring data protection Practice Question

This PCSE practice question tests your understanding of ensuring data protection. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company runs a containerized application on Google Kubernetes Engine (GKE) that reads from a Cloud Storage bucket encrypted with a customer-managed key (CMEK) in Cloud KMS. The application uses a dedicated Google service account with the roles/storage.objectViewer role and a Cloud KMS CryptoKey Decrypter binding on the key. After a scheduled key rotation, the application started receiving '403 Access Denied' errors when accessing objects. The Cloud KMS key has multiple versions. The service account's IAM permissions have not changed. What is the most likely cause and the appropriate fix?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Ensure the service account has the 'Cloud KMS CryptoKey Decrypter' role on the key, which applies to all key versions, including the old version used for encryption.

The correct answer is D. In Cloud KMS, IAM permissions are evaluated at the key level, not per key version. When a key is rotated, the new primary version is automatically enabled, but the old version remains active for decrypting data encrypted with it. The service account already has the 'Cloud KMS CryptoKey Decrypter' role on the key, which grants permission to decrypt with any version of that key. The 403 error likely occurred because the application's client library or configuration was explicitly referencing the old key version ID, which may have been disabled or is no longer primary, but the IAM binding on the key itself is sufficient. The fix is to ensure the service account has the role on the key (which it does) and that the application uses the key resource name (not a specific version) to allow automatic use of the correct version.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • In Cloud KMS, enable the new key version and ensure it is set as primary.

    Why it's wrong here

    Enabling the new version is standard after rotation, but the service account still needs permissions; simply enabling it does not grant access.

  • Create a new key ring and migrate the service account to use a new key.

    Why it's wrong here

    Creating a new key ring does not solve the permission issue; it adds unnecessary complexity.

  • Disable the old key version and re-encrypt all objects with the new key version.

    Why it's wrong here

    Disabling the old version would make existing objects unreadable; re-encryption is not automatic and would require rewriting all objects.

  • Ensure the service account has the 'Cloud KMS CryptoKey Decrypter' role on the key, which applies to all key versions, including the old version used for encryption.

    Why this is correct

    The role on the key grants access to all versions; if it was previously granted only on a specific version, the old version may have lost access during rotation.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Google Cloud often tests the misconception that key rotation requires updating IAM permissions or that old key versions become unusable, when in fact IAM bindings on the key cover all versions and old versions remain active for decryption unless explicitly disabled.

Detailed technical explanation

How to think about this question

Cloud KMS key rotation creates a new key version and sets it as primary for future encryption, but old versions remain enabled for decryption unless explicitly disabled. The IAM role 'Cloud KMS CryptoKey Decrypter' on the key resource grants permission to decrypt with any version of that key, including old ones. A common subtlety is that if an application hardcodes a specific key version ID (e.g., 'projects/p/locations/l/keyRings/r/cryptoKeys/k/cryptoKeyVersions/1') instead of using the key resource name (e.g., 'projects/p/locations/l/keyRings/r/cryptoKeys/k'), it may fail if that version is disabled or if the client library does not automatically resolve to the correct version for decryption.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PCSE practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PCSE practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PCSE question test?

Ensuring data protection — This question tests Ensuring data protection — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Ensure the service account has the 'Cloud KMS CryptoKey Decrypter' role on the key, which applies to all key versions, including the old version used for encryption. — The correct answer is D. In Cloud KMS, IAM permissions are evaluated at the key level, not per key version. When a key is rotated, the new primary version is automatically enabled, but the old version remains active for decrypting data encrypted with it. The service account already has the 'Cloud KMS CryptoKey Decrypter' role on the key, which grants permission to decrypt with any version of that key. The 403 error likely occurred because the application's client library or configuration was explicitly referencing the old key version ID, which may have been disabled or is no longer primary, but the IAM binding on the key itself is sufficient. The fix is to ensure the service account has the role on the key (which it does) and that the application uses the key resource name (not a specific version) to allow automatic use of the correct version.

What should I do if I get this PCSE question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PCSE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCSE exam.