GCP Professional Cloud Security Engineer Practice Question
Your team is moving a finance app to Google Cloud. The database will use Cloud SQL for PostgreSQL and holds sensitive PII. Requirements: 1) no public internet reachability, 2) only workloads inside the production VPC may connect, 3) developers must not handle database passwords or client SSL certs; authentication must rely on the workload's IAM identity. The app runs on a private GKE cluster in the same project. Which solution meets all requirements with minimal operations effort?
Create a private-IP-only Cloud SQL instance, define a database user and password, store the password in Kubernetes secrets, and have pods connect directly to the instance's private address over the VPC network.
Provision the Cloud SQL instance without a public IP, enable private-IP connectivity, turn on Cloud SQL IAM database authentication, deploy a Cloud SQL Auth Proxy sidecar in each GKE pod that uses Workload Identity, and grant the pod's service account the cloudsql.instanceUser role on the instance.
Create the Cloud SQL instance with a private IP, disable its public IP, expose it to the cluster through a Serverless VPC Access connector, and require SSL client certificates distributed via ConfigMaps for authentication.
Create the Cloud SQL instance with only a public IP, restrict access to the cluster's node CIDR ranges through authorized networks, enforce SSL client certificates, and store the database password in Secret Manager for the pods.
The combination that satisfies every requirement is to provision the Cloud SQL instance with only a private IP, and then use the Cloud SQL Auth Proxy together with Cloud SQL IAM database authentication. A private-IP-only instance is reachable exclusively from resources in the same VPC (or a peered VPC), eliminating any public exposure. When the proxy runs as a sidecar in each GKE pod and obtains credentials through Workload Identity, the connection stays inside the VPC and is authorized through IAM, so no database passwords or client SSL certificates need to be created or distributed. Granting the service account the cloudsql.instanceUser (or a more restrictive custom) role allows the proxy to obtain the ephemeral tokens required for IAM database authentication.
The other options break at least one constraint: using a public IP violates the first requirement, using static database passwords or client certificates violates the third, and Serverless VPC Access is unnecessary for GKE and still requires credential distribution when SSL certificates are used.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity in GKE?
Open an interactive chat with Bash
How does Cloud SQL IAM database authentication work?
Open an interactive chat with Bash
What is the purpose of the Cloud SQL Auth Proxy?
Open an interactive chat with Bash
What is the Cloud SQL Auth Proxy and how does it work?
Open an interactive chat with Bash
How does Workload Identity enhance security in Google Kubernetes Engine (GKE)?
Open an interactive chat with Bash
Why is a private IP for Cloud SQL instances critical for this use case?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .