ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A SaaS provider is migrating its multi-tenant application to containers running in a managed Kubernetes service. Each tenant database requires a unique password that must be injected into the application pods at startup and automatically rotated every 30 days. Operational staff must not see the clear-text passwords, and the security team wants an auditable way to limit which microservices can read them. Which approach BEST meets these requirements?
Store each password in the cloud provider's managed secrets manager, grant the workload's Kubernetes service account permission to retrieve it at run time, and enable built-in 30-day rotation.
Save the passwords as Kubernetes Secret objects and reference them in pod environment variables; schedule a cron job to update the objects every month.
Add the passwords directly to the deployment YAML as environment variables and protect the Git repository with strict branch controls.
Bake the passwords into the container images during the CI/CD build so they are available locally when pods start.
Using the cloud-native secrets management service satisfies every stated requirement. The secrets are stored encrypted at rest, can be configured for automatic rotation on a schedule, and are retrieved by the application at run time through short-lived API calls authenticated with the cluster's IAM role. Access is policy-controlled and fully logged, so only the designated microservices can read the passwords and administrators never handle them directly.
Storing base64-encoded Kubernetes Secrets leaves the data only weakly obfuscated and requires external tooling for rotation and auditing. Embedding passwords in container images or environment variables in the deployment YAML stores them in plaintext in container registries or manifests, exposes them to anyone with read access, and provides no automated rotation or access logging.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a cloud provider's managed secrets manager?
Open an interactive chat with Bash
How does Kubernetes service account authentication work in this context?
Open an interactive chat with Bash
Why is Kubernetes Secrets not the best option for managing passwords in this scenario?
Open an interactive chat with Bash
What is a managed Kubernetes service?
Open an interactive chat with Bash
What is a cloud provider's managed secrets manager?
Open an interactive chat with Bash
How does IAM work with Kubernetes service accounts?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .