GCP Professional Cloud Security Engineer Practice Question

A multinational enterprise maintains an on-premises middleware service that must authenticate to Google Cloud Storage by using a JSON key for a Google Cloud service account. Compliance now mandates quarterly key rotation with zero downtime for the application. Which practice best satisfies Google-recommended guidance for rotating this unavoidable user-managed key while minimizing service disruption?

Create a second key for the service account, update the application to use the new key, verify access, and then delete the original key-ensuring no more than two active keys exist at any time.
Delete the current key, immediately create a replacement with the same name, and restart the application to force it to pick up the new credential.
Periodically re-encrypt the existing key with a new Cloud KMS key version to satisfy rotation requirements without generating additional service account keys.
Extend the key's expiration date to 90 days and enable OS-level credential caching so the application keeps working during the renewal window.

Report Issue

Answer Description

Google recommends having no more than two active user-managed keys per service account at any time. To rotate a key without downtime, you first create a second key, securely deploy the new key to the workload, verify successful authentication, and then delete the older key. This preserves continuous access because the application can switch to the new credential before the old one is removed. Simply deleting the existing key before deploying a replacement, or disabling the service account, would cause an outage. Re-encrypting or extending the key does not meet rotation requirements, because the underlying key material remains unchanged.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.