Securely Store Secrets on Google Cloud Platform
Question
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The best approach for storing secrets, such as passwords or API keys, is to avoid storing them in plain text in the source code management (SCM) system. This is because if the SCM is breached, the secrets could be exposed to attackers. Instead, a more secure approach is to use a secrets management service or tool that provides secure storage and access to the secrets.
Out of the given options, option B is the most suitable solution. Encrypting the secrets with a Customer-Managed Encryption Key (CMEK) ensures that the secrets are stored in an encrypted format. Cloud Storage provides secure and durable storage for objects, and using CMEK with Cloud Storage ensures that the secrets are encrypted at rest. The customer can then control access to the secrets by granting appropriate IAM permissions to users and services that need to access them.
Option A suggests storing secrets in Cloud SQL, but this is not recommended as storing secrets in a relational database can be risky, especially if the database is breached. Option C suggests using the Cloud Data Loss Prevention API to scan the secrets, but this would only identify sensitive data and not provide a secure storage solution. Option D suggests deploying the SCM to a Compute Engine VM, but this would not provide a secure storage solution for the secrets.
In summary, the most appropriate solution for storing secrets securely on Google Cloud Platform is to encrypt the secrets with a Customer-Managed Encryption Key (CMEK) and store them in Cloud Storage.
