Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Implement a secret management service. Configure the service to frequently rotate the service account key. Configure proper access control to the key, and restrict who can create service account keys.

The question focuses on minimizing risk from compromised service account keys, which are long-lived credentials vulnerable to theft. Option D directly addresses this by implementing secret management with frequent key rotation and strict access controls, reducing the exposure window and limiting who can create keys. This aligns with Google Cloud best practices for service account key security. Option A (data scanning/masking) doesn't prevent key compromise risks. Option B (VPC Service Controls) restricts API access but doesn't mitigate key theft. Option C (CMEK) protects data at rest but doesn't address the authentication risk of compromised keys. The community discussion shows 100% consensus on D, confirming it as the optimal choice.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

Your organization is integrating with a partner application that needs read access to a Cloud Storage bucket containing customer data to process orders. You have decided that using service account keys is necessary. How should you advise the partner to minimize the risk of data loss if a service account key is compromised?

Exam-Like

Last updated: January 8, 2026 at 14:03

Scan the Cloud Storage bucket with Sensitive Data Protection when new data is added, and automatically mask all customer data.

Define a VPC Service Controls perimeter, and restrict the Cloud Storage API. Add an ingress rule to the perimeter to allow access to the Cloud Storage API for the service account from outside of the perimeter.

Ensure that all data for the application that is accessed through the relevant service accounts is encrypted at rest by using customer-managed encryption keys (CMEK).

Implement a secret management service. Configure the service to frequently rotate the service account key. Configure proper access control to the key, and restrict who can create service account keys.