Exam Professional Cloud Security Engineer topic 1 question 103 discussion

Correct. Ans A. Provide granular access to secrets: 2.Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. Give you control over the rotation schedules for the encryption keys that wrap your secrets: 3. Use customer-managed encryption keys to encrypt secrets. Maintain environment separation: 1. Use separate Google Cloud projects to store Production and Non-Production secrets.

None of the answers are correct, here is why : ✑ Provide granular access to secrets => 2. Enforce access control to secrets using secret-level (and not project-level) ✑ Give you control over the rotation schedules for the encryption keys that wrap your secrets => 3. Use customer-managed encryption keys to encrypt secrets. ✑ Maintain environment separation => 1. Use separate Google Cloud projects to store Production and Non-Production secrets ✑ Provide ease of management => 3. Use Google-managed encryption keys to encrypt secrets. (could be in contradiction with Give you control over the rotation schedules….) It should be an E answer : E. 1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using secret-level identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.

Agree with Medofree's comment, there is no right answer here. However, option C looks like the closest due the granular access to secrets requirement and the ease of management requirement . Option A would grant identities access to all the secrets in the project, you might be able use other settings with project level IAM bindings to achieve it, but it won't be easy to manage.

It's C, right? Answer A doesn't provide granular access. C still provides control over rotation, verify for yourself: Go to GCP Console -> Secrets Manager -> Create Secret -> Select Google Managed Encryption Key -> Enable "Set rotation period" and you will see the options

I think C is correct. Secrets granular management, separate projects and keys managements into google.

For me this is answer C. It provides granular access control at the secret level. Option A provides project-level IAM bindings and not secret level. While it uses Google-managed keys (offering less control over rotation), it simplifies management and still maintains a good security posture. It maintains environment separation by using different projects for Production and Non-Production. Balances between ease of management and security, though slightly more complex due to separate projects.

A. 1. Use separate Google Cloud projects to store Production and Non-Production secrets. 2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings. 3. Use customer-managed encryption keys to encrypt secrets.