Answer-first summary for fast verification
Answer: Use Sensitive Data Protection to scan the environment variables multiple times per day, and create a finding in Security Command Center if secrets are discovered.
Option C is the optimal choice because it directly addresses the requirement to detect secrets in Cloud Functions environment variables in a timely manner. Google Cloud's Sensitive Data Protection service is specifically designed for this purpose - it can automatically scan environment variables multiple times per day and create findings in Security Command Center when secrets are detected. This provides continuous monitoring and automated alerting. Option A (peer reviews) is manual and not timely enough. Option B (custom Cloud Function) is less efficient than using the dedicated service. Option D (DAST in CI/CD) focuses on code scanning during development but doesn't provide ongoing monitoring of deployed functions' environment variables, which is what the question specifically asks for. The community discussion shows strong consensus for C with detailed reasoning about how Sensitive Data Protection works for this exact use case.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are responsible for managing a set of Cloud Functions in your organization's Google Cloud environment. A recent security audit found that secrets were stored in the environment variables of some functions. You need to implement a solution to detect secrets in a timely manner. What should you do?
A
Implement regular peer reviews to assess the environment variables and identify secrets in your Cloud Functions. Raise a security incident if secrets are discovered.
B
Implement a Cloud Function that scans the environment variables multiple times a day, and creates a finding in Security Command Center if secrets are discovered.
C
Use Sensitive Data Protection to scan the environment variables multiple times per day, and create a finding in Security Command Center if secrets are discovered.
D
Integrate dynamic application security testing into the CI/CD pipeline that scans the application code for the Cloud Functions. Fail the build process if secrets are discovered.
No comments yet.