Google Cloud Professional Cloud Security Engineer — Question 195

Your organization’s application is being integrated with a partner application that requires read access to customer data to process customer orders. The customer data is stored in one of your Cloud Storage buckets. You have evaluated different options and determined that this activity requires the use of service account keys. You must advise the partner on how to minimize the risk of a compromised service account key causing a loss of data. What should you advise the partner to do?

Answer options

• A. Scan the Cloud Storage bucket with Sensitive Data Protection when new data is added, and automatically mask all customer data.
• B. Define a VPC Service Controls perimeter, and restrict the Cloud Storage API. Add an ingress rule to the perimeter to allow access to the Cloud Storage API for the service account from outside of the perimeter.
• C. Ensure that all data for the application that is accessed through the relevant service accounts is encrypted at rest by using customer-managed encryption keys (CMEK).
• D. Implement a secret management service. Configure the service to frequently rotate the service account key. Configure proper access control to the key, and restrict who can create service account keys.

Correct answer: D

Explanation

The correct answer is D because implementing a secret management service with frequent key rotation and proper access controls significantly reduces the risk associated with a compromised service account key. Options A and B do not directly address the security of the service account key itself, while option C focuses on data encryption but does not help mitigate key compromise risks.