Google Cloud Professional Cloud Security Engineer — Question 83
You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-
Production applications are stored and accessed using service accounts. Your proposed solution must:
✑ Provide granular access to secrets
✑ Give you control over the rotation schedules for the encryption keys that wrap your secrets
✑ Maintain environment separation
✑ Provide ease of management
Which approach should you take?
Answer options
- A. 1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.
- B. 1. Use a single Google Cloud project to store both Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings. 3. Use Google-managed encryption keys to encrypt secrets.
- C. 1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings. 3. Use Google-managed encryption keys to encrypt secrets.
- D. 1. Use a single Google Cloud project to store both Production and Non-Production secrets. 2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.
Correct answer: A
Explanation
The correct approach is option A because it utilizes separate Google Cloud projects, which ensures environment separation and allows for granular access control via project-level IAM bindings. Additionally, using customer-managed encryption keys provides better control over key rotation. Options B and C fail to maintain environment separation, while option D uses a single project, which could lead to access conflicts.