Answer-first summary for fast verification
Answer: Grant the roles/secretmanager.secretAccessor role to the Compute Engine service account. Store and access the database credentials with the Secret Manager API.
HipLocal's credentials are stored in plain text on persistent disks, posing a security risk. The best solution is to use Google Cloud Secret Manager to securely store and manage secrets. Option D addresses this by granting the Compute Engine service account the `roles/secretmanager.secretAccessor` role, allowing it to securely retrieve database credentials via the Secret Manager API. This eliminates the need to store credentials on disks. Other options involve service account keys (A/B), which are long-lived and risky, or Cloud SQL Proxy (C), which is irrelevant here as the database is self-managed (not Cloud SQL).
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
For the HipLocal case study, a security audit reveals that database credentials for their Compute Engine-hosted MySQL databases are stored in plain text on persistent disks. To mitigate the risk of credential theft, what action should HipLocal take?
Corrections/Clarifications:
A
Create a service account and download its key. Use the key to authenticate to Cloud Key Management Service (KMS) to obtain the database credentials.
B
Create a service account and download its key. Use the key to authenticate to Cloud Key Management Service (KMS) to obtain a key used to decrypt the database credentials.
C
Create a service account and grant it the roles/iam.serviceAccountUser role. Impersonate as this account and authenticate using the Cloud SQL Proxy.
D
Grant the roles/secretmanager.secretAccessor role to the Compute Engine service account. Store and access the database credentials with the Secret Manager API.
No comments yet.