Google Cloud Professional Cloud Database Engineer — Question 146

Your company uses a custom application to service thousands of users. The application is running on a Compute Engine and a Cloud SQL for PostgreSQL database. The company requires database passwords to be changed every 60 days. You need to ensure that the credentials used by the web application to connect to the database are managed securely. What should you do?

Answer options

• A. 1. Store the credentials in an encrypted text file in the application. 2. Use Cloud Key Management Service (Cloud KMS) to store the key for decrypting the text file. 3. Modify the application to decrypt the text file and retrieve the credentials on startup. 4. Update the text file every 60 days.
• B. 1. Store the credentials to the database in Secret Manager. 2. Modify the application to retrieve the credentials from Secret Manager on startup. 3. Configure the rotation interval to 60 days.
• C. 1. Store the credentials in a text file in a Cloud Storage bucket. 2. Modify the application to download the text file and retrieve the credentials on startup. 3. Update the text file every 60 days.
• D. 1. Configure IAM database authentication for the application to connect to the database. 2. Create an IAM user and map it to a separate database user for each application user. 3. Require users to update their passwords every 60 days.

Correct answer: B

Explanation

Option B is correct because Secret Manager provides a secure way to store and manage sensitive information such as database credentials, along with built-in support for automatic rotation. The other options involve less secure methods, such as storing credentials in files, either encrypted or not, which can expose sensitive data if not handled properly.