Answer-first summary for fast verification
Answer: Store secrets in Cloud Storage encrypted with a key from Cloud KMS. Provide the CI/CD pipeline with access to Cloud KMS via IAM.
To securely access application secrets and facilitate easy rotation in case of a security breach, the best practice is to use a dedicated secrets management solution. Option C suggests storing secrets in Cloud Storage encrypted with a key from Cloud KMS and providing the CI/CD pipeline with access to Cloud KMS via IAM. This approach leverages Google Cloud's built-in security features for encryption and access control, ensuring that secrets are securely stored and accessed. It also simplifies the rotation of secrets by allowing you to manage keys and access permissions centrally through Cloud KMS and IAM. Options A and B are less secure because they rely on manual processes or storing secrets in accessible locations, which can lead to security vulnerabilities. Option D, while it involves encryption, complicates the process by splitting the secret and key across different repositories, which can lead to management challenges and potential security gaps.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
How can you securely access application secrets in your CI/CD pipeline while enabling easier secret rotation in the event of a security breach?
A
Prompt developers for secrets at build time. Instruct developers to not store secrets at rest.
B
Store secrets in a separate configuration file on Git. Provide select developers with access to the configuration file.
C
Store secrets in Cloud Storage encrypted with a key from Cloud KMS. Provide the CI/CD pipeline with access to Cloud KMS via IAM.
D
Encrypt the secrets and store them in the source code repository. Store a decryption key in a separate repository and grant your pipeline access to it.
No comments yet.