Your application artifacts are being built and deployed via a CI/CD pipeline. You want the CI/CD pipeline to securely access application secrets. You also want to more easily rotate secrets in case of a security breach. What should you do?
A. Prompt developers for secrets at build time. Instruct developers to not store secrets at rest.
B. Store secrets in a separate configuration file on Git. Provide select developers with access to the configuration file.
C. Store secrets in Cloud Storage encrypted with a key from Cloud KMS. Provide the CI/CD pipeline with access to Cloud KMS via IAM.
D. Encrypt the secrets and store them in the source code repository. Store a decryption key in a separate repository and grant your pipeline access to it.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
C
Explanation
A. Prompt developers for secrets at build time. Instruct developers to not store secrets at rest.
(This approach is not recommended because it requires developers to manually enter secrets at build time, which is not only time-consuming but also error-prone. Additionally, storing secrets in plain text, even temporarily, increases the risk of a security breach.)
B. Store secrets in a separate configuration file on Git. Provide select developers with access to the configuration file.
(This approach is slightly better than Option A, as it centralizes the storage of secrets in a separate configuration file that can be securely managed using Git. However, it still requires granting access to the configuration file to select developers, which increases the risk of a security breach if access is not properly managed.)
C. Store secrets in Cloud Storage encrypted with a key from Cloud KMS. Provide the CI/CD pipeline with access to Cloud KMS via IAM.
(The best option for securing application secrets while making it easier to rotate them in case of a security breach would be C.
By storing secrets in Cloud Storage, you can take advantage of the security features provided by the platform and encrypt them using Cloud KMS, a GCP service that allows you to create, manage, and use encryption keys. This way you can control who has access to the secrets, and you can easily rotate the encryption keys in case of a security breach. Additionally, you can use IAM to give the CI/CD pipeline the necessary permissions to access the secrets and use them during the deployment process, without the need to store them in the source code or give access to them to specific developers.)
D. Encrypt the secrets and store them in the source code repository. Store a decryption key in a separate repository and grant your pipeline access to it.
(This approach is not recommended because storing secrets in the source code repository, even if they are encrypted, increases the risk of a security breach. Additionally, storing the decryption key in a separate repository does not add much value in terms of security, as it still requires granting access to the decryption key to the CI/CD pipeline.)