Topic: Professional Cloud Security Engineer topic 1 question 103

You are designing a new governance model for your organization's secrets that are stored in Secret Manager. Currently, secrets for Production and Non-
Production applications are stored and accessed using service accounts. Your proposed solution must:
✑ Provide granular access to secrets
✑ Give you control over the rotation schedules for the encryption keys that wrap your secrets
✑ Maintain environment separation
✑ Provide ease of management
Which approach should you take?

A.
1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.
B.
1. Use a single Google Cloud project to store both Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings. 3. Use Google-managed encryption keys to encrypt secrets.
C.
1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings. 3. Use Google-managed encryption keys to encrypt secrets.
D.
1. Use a single Google Cloud project to store both Production and Non-Production secrets. 2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.

  • mT3
  • New member
  • Offline

Re: Professional Cloud Security Engineer topic 1 question 103

Correct. Ans A.
Provide granular access to secrets: 2.Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.
Give you control over the rotation schedules for the encryption keys that wrap your secrets: 3. Use customer-managed encryption keys to encrypt secrets.
Maintain environment separation: 1. Use separate Google Cloud projects to store Production and Non-Production secrets.

Re: Professional Cloud Security Engineer topic 1 question 103

It is possible to grant IAM bindind to secret-level which is more granular than project-level but considering that it is necessary to manage encryption keys life-cycle, then the answer is A due to C does not allow that.

Re: Professional Cloud Security Engineer topic 1 question 103

Yes , A is right

Re: Professional Cloud Security Engineer topic 1 question 103

None of the answers are correct, here is why :

✑ Provide granular access to secrets => 2. Enforce access control to secrets using secret-level (and not project-level)
✑ Give you control over the rotation schedules for the encryption keys that wrap your secrets => 3. Use customer-managed encryption keys to encrypt secrets.
✑ Maintain environment separation =>  1. Use separate Google Cloud projects to store Production and Non-Production secrets
✑ Provide ease of management =>  3. Use Google-managed encryption keys to encrypt secrets. (could be in contradiction with Give you control over the rotation schedules….)

It should be an E answer :

E. 1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.

Re: Professional Cloud Security Engineer topic 1 question 103

That's Answer A....

  • glb2
  • New member
  • Offline

Re: Professional Cloud Security Engineer topic 1 question 103

I think C is correct.
Secrets granular management, separate projects and keys managements into google.

Re: Professional Cloud Security Engineer topic 1 question 103

For me this is answer C.
It provides granular access control at the secret level. Option A provides project-level IAM bindings and not secret level.
While it uses Google-managed keys (offering less control over rotation), it simplifies management and still maintains a good security posture.
It maintains environment separation by using different projects for Production and Non-Production.
Balances between ease of management and security, though slightly more complex due to separate projects.

  • glb2
  • New member
  • Offline

Re: Professional Cloud Security Engineer topic 1 question 103

I think the same.

Re: Professional Cloud Security Engineer topic 1 question 103

A. 1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.