Crucial Exams

GCP Professional Cloud Security Engineer Practice Question

A financial services company subject to PCI DSS is adopting Google Secret Manager to store API keys used by a GKE-based microservice platform. Auditors require proof that

  1. the keys are never transmitted in clear text across Google's network, and
  2. encryption at rest uses at least 256-bit strength. Which statement accurately explains how Secret Manager meets these two requirements without any extra configuration by the platform team?

  • Secrets are protected in transit via TLS, but you must enable customer-managed encryption keys to ensure AES-256 encryption at rest.

  • By default, Secret Manager uses AES-128 for storage; to reach 256-bit strength and ensure encrypted transport you must configure mutual TLS between clients and the service.

  • Secret Manager automatically encrypts every secret with Google-managed AES-256 at rest and enforces TLS for all access requests, so both requirements are satisfied out of the box.

  • Secrets remain unencrypted on disk unless you configure a Cloud HSM-backed key; transport encryption is optional but recommended.

GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot