Google Cloud Professional Cloud Security Engineer Practice Exam

What is the recommended practice for rotating a user-managed Service Account key in Google Cloud?

• A. Create a new key and immediately delete the old key
• B. Change the permissions on the key instead of rotating it
• C. Use the same key across multiple services
• D. Never rotate keys to avoid downtime

The correct answer is: Create a new key and immediately delete the old key

Creating a new key and immediately deleting the old key is considered a best practice for rotating a user-managed Service Account key in Google Cloud. This approach ensures that you maintain security while minimizing the potential for downtime or service disruption. When you create a new key, you can give your applications time to switch to the new key while the old key remains active. This is particularly important in scenarios where multiple services or applications are using the key. By deleting the old key only after confirming that all services are functioning correctly with the new key, you eliminate the risk of any interruption. This method also enhances security by ensuring that keys are kept up to date. Regularly rotating keys helps to mitigate risks associated with key exposure, such as unauthorized access to your Google Cloud resources. It’s a proactive security measure that aligns with the principle of least privilege: using short-lived credentials and rotating them frequently. Other practices, like changing permissions on the key, using the same key across multiple services, or never rotating keys, do not address the importance of key security and management effectively. They fail to prioritize the necessity of having current, secure access credentials and can potentially lead to inconsistencies, vulnerabilities, and access issues.