GCP Professional Cloud Security Engineer Practice Question
Your banking platform is expanding to four Google Cloud projects, each hosting GKE clusters that communicate over a service mesh. Compliance mandates mutual TLS for all service-to-service traffic with certificates issued from an internal private PKI whose root must remain offline. Certificates must have a 24-hour lifetime and be rotated automatically. Operations insists on a managed service that offers an SLA for certificate issuance and supports API-driven automation as well as seamless CA key rotation. Which approach best meets these requirements?
Operate a self-hosted OpenSSL root CA on a Compute Engine VM, sign service CSRs in the CI/CD pipeline, and rotate keys manually on an annual schedule.
Configure Google-managed SSL certificates on an external HTTP(S) load balancer and distribute the certificates to the clusters via Secret Manager for mutual TLS.
Use Google Cloud Public Certificate Authority to issue publicly trusted certificates and push them to workloads using Workload Identity.
Provision a Certificate Authority Service Enterprise-tier CA pool with an offline root CA and subordinate issuing CAs, and automate 24-hour certificate issuance for the service mesh through CAS APIs.
Google Cloud Certificate Authority Service (CAS) can be deployed in an Enterprise-tier CA pool, which provides a 99.9 % availability SLA for CreateCertificate operations and managed redundancy. You can maintain an offline root CA for security while using one or more online subordinate CAs in the pool to issue end-entity certificates. CAS exposes REST and gcloud APIs, enabling automated 24-hour certificate issuance and rotation for the service mesh. Google-managed SSL certificates and Google Public CA issue publicly trusted certificates for external endpoints and do not support offline private roots or very short-lived programmatic issuance. A self-managed OpenSSL CA on a VM lacks managed availability guarantees and requires significant operational effort for scaling and rotation. Therefore, using CAS Enterprise tier with an offline root and subordinate issuing CAs is the only option that satisfies all compliance, automation, and availability requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Google Cloud Certificate Authority Service (CAS)?
Open an interactive chat with Bash
What is a service mesh and why is mutual TLS important for it?
Open an interactive chat with Bash
How does an offline root CA enhance security?
Open an interactive chat with Bash
What is Google Cloud Certificate Authority Service (CAS)?
Open an interactive chat with Bash
Why do mutual TLS certificates need to be rotated frequently in service-to-service communication?
Open an interactive chat with Bash
What is the advantage of using an offline root CA in the Certificate Authority Service setup?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .