Google Cloud Professional Cloud Security Engineer Practice Exam

What is the best method to securely store plain text secrets in Google Cloud Platform?

• A. Use a public repository to share secrets
• B. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK)
• C. Store secrets directly in source code
• D. Use Cloud SQL for secret storage

The correct answer is: Encrypt the secrets with a Customer-Managed Encryption Key (CMEK)

The best method to securely store plain text secrets in Google Cloud Platform is to encrypt the secrets with a Customer-Managed Encryption Key (CMEK). This approach enhances security by ensuring that sensitive data, such as API keys, passwords, and other confidential information, is stored in an encrypted format. Using CMEK allows organizations to have control over their encryption keys, offering an additional layer of security by enabling key rotation, auditing, and compliance with various security standards. This level of control helps in managing access to secrets more effectively while safeguarding them from unauthorized access. The other methods suggested are not secure practices. Storing secrets in a public repository significantly increases the risk of exposure to unauthorized individuals, which is counterproductive to maintaining confidentiality. Putting secrets directly in source code is also a poor practice, as it leads to potential leaks when the code is shared, version-controlled, or deployed. Although Cloud SQL could be used for storing secrets, it is not inherently designed for secret management and does not provide specialized functionalities such as encryption management, access control, or auditing specifically tailored for sensitive information. Thus, using CMEK is the most secure and appropriate option for managing plain text secrets in Google Cloud Platform.