Your organization is integrating with a partner application that needs read access to a Cloud Storage bucket containing customer data to process orders. You have decided that using service account keys is necessary. How should you advise the partner to minimize the risk of data loss if a service account key is compromised?

Exam-Like

Last updated: January 8, 2026 at 14:03

Scan the Cloud Storage bucket with Sensitive Data Protection when new data is added, and automatically mask all customer data.

Define a VPC Service Controls perimeter, and restrict the Cloud Storage API. Add an ingress rule to the perimeter to allow access to the Cloud Storage API for the service account from outside of the perimeter.

Ensure that all data for the application that is accessed through the relevant service accounts is encrypted at rest by using customer-managed encryption keys (CMEK).

Implement a secret management service. Configure the service to frequently rotate the service account key. Configure proper access control to the key, and restrict who can create service account keys.

Google Professional Cloud Security Engineer

Get started today

Comments