Google Cloud Professional Cloud Security Engineer — Question 97

For data residency requirements, you want your secrets in Google Clouds Secret Manager to only have payloads in europe-west1 and europe-west4. Your secrets must be highly available in both regions.

What should you do?

Answer options

• A. Create your secret with a user managed replication policy, and choose only compliant locations.
• B. Create your secret with an automatic replication policy, and choose only compliant locations.
• C. Create two secrets by using Terraform, one in europe-west1 and the other in europe-west4.
• D. Create your secret with an automatic replication policy, and create an organizational policy to deny secret creation in non-compliant locations.

Correct answer: A

Explanation

The correct answer is A because using a user-managed replication policy allows you to specify exact compliant locations for your secrets, ensuring they reside only in europe-west1 and europe-west4. Option B does not meet the requirement since it uses automatic replication, which could potentially place secrets in non-compliant regions. Option C involves creating two separate secrets, which is not necessary for maintaining high availability in the specified regions. Option D also fails because it relies on an automatic replication policy, which does not align with the requirement of keeping secrets only in the specified locations.