Google Cloud Professional DevOps Engineer Q28

question-and-answer
Share
  1. Google Cloud Professional DevOps Engineer Q1
  2. Google Cloud Professional DevOps Engineer Q2
  3. Google Cloud Professional DevOps Engineer Q3
  4. Google Cloud Professional DevOps Engineer Q4
  5. Google Cloud Professional DevOps Engineer Q5
  6. Google Cloud Professional DevOps Engineer Q6
  7. Google Cloud Professional DevOps Engineer Q7
  8. Google Cloud Professional DevOps Engineer Q8
  9. Google Cloud Professional DevOps Engineer Q9
  10. Google Cloud Professional DevOps Engineer Q10
  11. Google Cloud Professional DevOps Engineer Q11
  12. Google Cloud Professional DevOps Engineer Q12
  13. Google Cloud Professional DevOps Engineer Q13
  14. Google Cloud Professional DevOps Engineer Q14
  15. Google Cloud Professional DevOps Engineer Q15
  16. Google Cloud Professional DevOps Engineer Q16
  17. Google Cloud Professional DevOps Engineer Q17
  18. Google Cloud Professional DevOps Engineer Q18
  19. Google Cloud Professional DevOps Engineer Q19
  20. Google Cloud Professional DevOps Engineer Q20
  21. Google Cloud Professional DevOps Engineer Q21
  22. Google Cloud Professional DevOps Engineer Q22
  23. Google Cloud Professional DevOps Engineer Q23
  24. Google Cloud Professional DevOps Engineer Q24
  25. Google Cloud Professional DevOps Engineer Q25
  26. Google Cloud Professional DevOps Engineer Q26
  27. Google Cloud Professional DevOps Engineer Q27
  28. Google Cloud Professional DevOps Engineer Q28
  29. Google Cloud Professional DevOps Engineer Q29
  30. Google Cloud Professional DevOps Engineer Q30
  31. Google Cloud Professional DevOps Engineer Q31
  32. Google Cloud Professional DevOps Engineer Q32
  33. Google Cloud Professional DevOps Engineer Q33
  34. Google Cloud Professional DevOps Engineer Q34
  35. Google Cloud Professional DevOps Engineer Q35
  36. Google Cloud Professional DevOps Engineer Q36
  37. Google Cloud Professional DevOps Engineer Q37
  38. Google Cloud Professional DevOps Engineer Q38
  39. Google Cloud Professional DevOps Engineer Q39
  40. Google Cloud Professional DevOps Engineer Q40
  41. Google Cloud Professional DevOps Engineer Q41
  42. Google Cloud Professional DevOps Engineer Q42
  43. Google Cloud Professional DevOps Engineer Q43
  44. Google Cloud Professional DevOps Engineer Q44
  45. Google Cloud Professional DevOps Engineer Q45
  46. Google Cloud Professional DevOps Engineer Q46
  47. Google Cloud Professional DevOps Engineer Q47
  48. Google Cloud Professional DevOps Engineer Q48
  49. Google Cloud Professional DevOps Engineer Q49
  50. Google Cloud Professional DevOps Engineer Q50
  51. Google Cloud Professional DevOps Engineer Q51
  52. Google Cloud Professional DevOps Engineer Q52
  53. Google Cloud Professional DevOps Engineer Q53
  54. Google Cloud Professional DevOps Engineer Q54
  55. Google Cloud Professional DevOps Engineer Q55
  56. Google Cloud Professional DevOps Engineer Q56
  57. Google Cloud Professional DevOps Engineer Q57
  58. Google Cloud Professional DevOps Engineer Q58
  59. Google Cloud Professional DevOps Engineer Q59
  60. Google Cloud Professional DevOps Engineer Q60
  61. Google Cloud Professional DevOps Engineer Q61
  62. Google Cloud Professional DevOps Engineer Q62
  63. Google Cloud Professional DevOps Engineer Q63
  64. Google Cloud Professional DevOps Engineer Q64
  65. Google Cloud Professional DevOps Engineer Q65
  66. Google Cloud Professional DevOps Engineer Q66
  67. Google Cloud Professional DevOps Engineer Q67
  68. Google Cloud Professional DevOps Engineer Q68
  69. Google Cloud Professional DevOps Engineer Q69
  70. Google Cloud Professional DevOps Engineer Q70
  71. Google Cloud Professional DevOps Engineer Q71
  72. Google Cloud Professional DevOps Engineer Q72
  73. Google Cloud Professional DevOps Engineer Q73
  74. Google Cloud Professional DevOps Engineer Q74
  75. Google Cloud Professional DevOps Engineer Q75
  76. Google Cloud Professional DevOps Engineer Q76
  77. Google Cloud Professional DevOps Engineer Q77
  78. Google Cloud Professional DevOps Engineer Q78
  79. Google Cloud Professional DevOps Engineer Q79
  80. Google Cloud Professional DevOps Engineer Q80
  81. Google Cloud Professional DevOps Engineer Q81
  82. Google Cloud Professional DevOps Engineer Q82
  83. Google Cloud Professional DevOps Engineer Q83
  84. Google Cloud Professional DevOps Engineer Q84
  85. Google Cloud Professional DevOps Engineer Q85
  86. Google Cloud Professional DevOps Engineer Q86
  87. Google Cloud Professional DevOps Engineer Q87
  88. Google Cloud Professional DevOps Engineer Q88
  89. Google Cloud Professional DevOps Engineer Q89
  90. Google Cloud Professional DevOps Engineer Q90
  91. Google Cloud Professional DevOps Engineer Q91
  92. Google Cloud Professional DevOps Engineer Q92
  93. Google Cloud Professional DevOps Engineer Q93
  94. Google Cloud Professional DevOps Engineer Q94
  95. Google Cloud Professional DevOps Engineer Q95
  96. Google Cloud Professional DevOps Engineer Q96
  97. Google Cloud Professional DevOps Engineer Q97
  98. Google Cloud Professional DevOps Engineer Q98
  99. Google Cloud Professional DevOps Engineer Q99
  100. Google Cloud Professional DevOps Engineer Q100
  101. Google Cloud Professional DevOps Engineer Q101
  102. Google Cloud Professional DevOps Engineer Q102
  103. Google Cloud Professional DevOps Engineer Q103
  104. Google Cloud Professional DevOps Engineer Q104
  105. Google Cloud Professional DevOps Engineer Q105
  106. Google Cloud Professional DevOps Engineer Q106
  107. Google Cloud Professional DevOps Engineer Q107
  108. Google Cloud Professional DevOps Engineer Q108
  109. Google Cloud Professional DevOps Engineer Q109
  110. Google Cloud Professional DevOps Engineer Q110
  111. Google Cloud Professional DevOps Engineer Q111
  112. Google Cloud Professional DevOps Engineer Q112
  113. Google Cloud Professional DevOps Engineer Q113
  114. Google Cloud Professional DevOps Engineer Q114
  115. Google Cloud Professional DevOps Engineer Q115
  116. Google Cloud Professional DevOps Engineer Q116
  117. Google Cloud Professional DevOps Engineer Q117
  118. Google Cloud Professional DevOps Engineer Q118
  119. Google Cloud Professional DevOps Engineer Q119
  120. Google Cloud Professional DevOps Engineer Q120

Your application artifacts are being built and deployed via a CI/CD pipeline. You want the CI/CD pipeline to securely access application secrets. You also want to more easily rotate secrets in case of a security breach. What should you do?

A. Prompt developers for secrets at build time. Instruct developers to not store secrets at rest.

B. Store secrets in a separate configuration file on Git. Provide select developers with access to the configuration file.

C. Store secrets in Cloud Storage encrypted with a key from Cloud KMS. Provide the CI/CD pipeline with access to Cloud KMS via IAM.

D. Encrypt the secrets and store them in the source code repository. Store a decryption key in a separate repository and grant your pipeline access to it.

Disclaimer

This is a practice question. There is no guarantee of coming this question in the certification exam.

Answer

C

Explanation

A. Prompt developers for secrets at build time. Instruct developers to not store secrets at rest.
(This approach is not recommended because it requires developers to manually enter secrets at build time, which is not only time-consuming but also error-prone. Additionally, storing secrets in plain text, even temporarily, increases the risk of a security breach.)

B. Store secrets in a separate configuration file on Git. Provide select developers with access to the configuration file.
(This approach is slightly better than Option A, as it centralizes the storage of secrets in a separate configuration file that can be securely managed using Git. However, it still requires granting access to the configuration file to select developers, which increases the risk of a security breach if access is not properly managed.)

C. Store secrets in Cloud Storage encrypted with a key from Cloud KMS. Provide the CI/CD pipeline with access to Cloud KMS via IAM.
(The best option for securing application secrets while making it easier to rotate them in case of a security breach would be C.
By storing secrets in Cloud Storage, you can take advantage of the security features provided by the platform and encrypt them using Cloud KMS, a GCP service that allows you to create, manage, and use encryption keys. This way you can control who has access to the secrets, and you can easily rotate the encryption keys in case of a security breach. Additionally, you can use IAM to give the CI/CD pipeline the necessary permissions to access the secrets and use them during the deployment process, without the need to store them in the source code or give access to them to specific developers.)

D. Encrypt the secrets and store them in the source code repository. Store a decryption key in a separate repository and grant your pipeline access to it.
(This approach is not recommended because storing secrets in the source code repository, even if they are encrypted, increases the risk of a security breach. Additionally, storing the decryption key in a separate repository does not add much value in terms of security, as it still requires granting access to the decryption key to the CI/CD pipeline.)



  • March 29, 2024