Crucial Exams

GCP Professional Cloud Security Engineer Practice Question

A travel-tech company discovered that several Google Maps API keys were accidentally committed to a public Git repository. You are asked to redesign key management so that

  1. API keys are never stored in source code,
  2. the keys are rotated every 90 days with minimal manual effort, and
  3. unused keys are quickly identified and removed. All workloads run on Google Kubernetes Engine and Cloud Functions. Which approach best meets all three requirements?

  • Move the keys into Kubernetes ConfigMaps managed by Config Sync and instruct developers to update the ConfigMap files and redeploy every quarter.

  • Store each API key in Secret Manager; use Cloud Scheduler to invoke a Cloud Function that calls the API Keys API to create a new key, update the Secret Manager version consumed by GKE and Cloud Functions, monitor usage, and delete the old key after cut-over.

  • Disable API key usage entirely and replace it with OAuth 2.0 access tokens while leaving the current keys active as a fallback in case of migration issues.

  • Encrypt the existing keys with Cloud KMS, commit the ciphertext to the repository, and require each service to decrypt the key at runtime; rotate by generating and committing new ciphertext versions manually.

GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot