Your company has a new security initiative that requires all data stored in Google Cloud to be encrypted by customer-managed encryption keys. You plan to use Cloud Key Management Service (KMS) to configure access to the keys. You need to follow the "separation of duties" principle and Google-recommended best practices. What should you do? (Choose two.)

A. Provision Cloud KMS in its own project. B. Do not assign an owner to the Cloud KMS project. C. Provision Cloud KMS in the project where the keys are being used. D. Grant the roles/cloudkms.admin role to the owner of the project where the keys from Cloud KMS are being used. E. Grant an owner role for the Cloud KMS project to a different user than the owner of the project where the keys from Cloud KMS are being used.