Professional-Cloud-Security-Engineer Sample Questions Answers

Configuring and monitoring VPC Flow Logs

Defending against XSS and SQLi attacks

Manage the latest updates and security patches for the Guest OS

Encrypting all stored data

Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.

Encrypt non-sensitive data and sensitive data with Cloud Key Management Service

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.

Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.

Container Threat Detection

Web Security Scanner

Rapid Vulnerability Detection

Virtual Machine Threat Detection

Use Google Cloud Directory Sync to convert the unmanaged user accounts.

Create a new managed user account for each consumer user account.

Use the transfer tool for unmanaged user accounts.

Configure single sign-on using a customer's third-party provider.

Enable Private Google Access on the regional subnets and global dynamic routing mode.

Set up a Private Service Connect endpoint IP address with the API bundle of "all-apis", which is advertised as a route over the Cloud interconnect connection.

Use private.googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the connection.

Use restricted googleapis.com to access Google APIs using a set of IP addresses only routable from within Google Cloud, which are advertised as routes over the Cloud Interconnect connection.

Upload the encryption key to a Cloud Storage bucket, and then upload the object to the same bucket.

Use the gsutil command line tool to upload the object to Cloud Storage, and specify the location of the encryption key.

Generate an encryption key in the Google Cloud Platform Console, and upload an object to Cloud Storage using the specified key.

Encrypt the object, then use the gsutil command line tool or the Google Cloud Platform Console to upload the object to Cloud Storage.

Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket.

Enable VPC Service Controls, create a perimeter around Projects A and B. and include the Cloud Storage API in the Service Perimeter configuration.

Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.

Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.

Enable Private Access on the VPC network in the production project.

Remove the Editor role and grant the Compute Admin IAM role to the engineers.

Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.

Set up a VPC network with two subnets: one with public IPs and one without public IPs.

•1 Update the perimeter

•2 Configure the egressTo field to set identity Type toany_identity.

•3 Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

* Allow the external project by using the organizational policy

constraints/compute.trustedlmageProjects.

•1 Update the perimeter

•2 Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute. googleapis. com.

•3 Configure the egressFrom field to set identity Type toany_idestity.

•1 Update the perimeter

•2 Configure the ingressFrcm field to set identityType toan-y_identity.

•3 Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis -com.

Deploy a Cloud NAT Gateway in the service project for the MIG.

Deploy a Cloud NAT Gateway in the host (VPC) project for the MIG.

Deploy an external HTTP(S) load balancer in the service project with the MIG as a backend.

Deploy an external HTTP(S) load balancer in the host (VPC) project with the MIG as a backend.

Cloud IDS

VPC Service Controls logs

VPC Flow Logs

Google Cloud Armor

Packet Mirroring

Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.

Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.

Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.

Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.

In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.

Create a site-to-site VPN from your corporate network to Google Cloud.

Configure server instances with public IP addresses Create a firewall rule to only allow traffic from yourcorporate IPs.

Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP-secured Tunnel User to the administrators.

Create a jump host instance with public IP Manage the instances by connecting through the jump host.

Security Command Center

Firewall Rules Logging

VPC Flow Logs

Firewall Insights

Define an organization policy constraint.

Configure packet mirroring policies.

Enable VPC Flow Logs on the subnet.

Monitor and analyze Cloud Audit Logs.

•1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring

•2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly

•1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium

•2 Monitor the findings in SCC

* 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring

•2 Activate Confidential Computing

•3 Enforce these actions by using organization policies

•1 Use secure hardened images from the Google Cloud Marketplace

•2 When deploying the images activate the Confidential Computing option

•3 Enforce the use of the correct images and Confidential Computing by using organization policies

Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

Create a project with multiple VPC networks for each environment.

Create a folder for each development and production environment.

Create a Google Group for the Engineering team, and assign permissions at the folder level.

Create an Organizational Policy constraint for each folder environment.

Create projects for each environment, and grant IAM rights to each engineering user.

Use Cloud Key Management Service (KMS) to encrypt the PII data shared by customers before storing it for analysis.

Use Object Lifecycle Management to make sure that all chat records with PII in them are discarded and not saved for analysis.

Use the image inspection and redaction actions of the DLP API to redact PII from the images before storing them for analysis.

Use the generalization and bucketing actions of the DLP API solution to redact PII from the texts before storing them for analysis.

Organization Administrator

Project Creator

Billing Account Viewer

Billing Account Costs Manager

Billing Account User

Cloud Armor

VPC Firewall Rules

Cloud Identity and Access Management

Cloud CDN

Ensure that firewall rules are in place to meet the required controls.

Set up Cloud Armor to ensure that network security controls can be managed for G Suite.

Network security is a built-in solution and Google’s Cloud responsibility for SaaS products like G Suite.

Set up an array of Virtual Private Cloud (VPC) networks to control network security as mandated by the relevant regulation.

Use customer-managed encryption keys.

Use Google's Identity and Access Management (IAM) service to manage access controls on Google Cloud.

Enable Admin activity logs to monitor access to resources.

Enable Access Transparency logs with Access Approval requests for Google employees.

Use Cloud IAP based on IP address or end-user device attributes to prevent and fix the vulnerability.

Set up an HTTPS load balancer, and then use Cloud Armor for the production environment to prevent the potential XSS attack.

Use Web Security Scanner to validate the usage of an outdated library in the code, and then use a secured version of the included library.

Use Web Security Scanner in staging to simulate an XSS injection attack, and then use a templating system that supports contextual auto-escaping.

Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private GoogleAccess enabled.

Set up VPC peering between the hosts on-premises and the VPC through the internet.

Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management.Service (KMS) key before you send it over the network.

Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC withPrivate Google Access enabled.

Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_secparameter to the specified time interval.

Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests overthe specified time interval.

Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over aspecified time interval.

Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.

Configure Secret Manager to manage service account keys.

Enable an organization policy to disable service accounts from being created.

Enable an organization policy to prevent service account keys from being created.

Remove theiam.serviceAccounts.getAccessTokenpermission from users.

EnableBinary Authorization on the existing Kubernetes cluster.

Set the organization policy constraint constraints/run. allowedBinaryAuthorizationPolicie to

the list of allowed Binary Authorization policy names.

Set the organization policy constraint constraints/compute.trustedimageProjects to the list of

protects that contain the trusted container images.

Enable Binary Authorization on the existing Cloud Run service.

Use Cloud Run breakglass to deploy an image that meets the Binary Authorization policy by default.

1. Manage SAML profile assignments.

• 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant.

• 3. Verify the domain.

1. Create a new SAML profile.

• 2. Upload the X.509 certificate.

• 3. Enable the change password URL.

• 4. Configure Entity ID and ACS URL in your IdP.

1- Create a new SAML profile.

• 2. Populate the sign-in and sign-out page URLs.

• 3. Upload the X.509 certificate.

• 4. Configure Entity ID and ACS URL in your IdP

1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant

• 2. Verify the AD domain.

• 3. Decide which users should use SAML.

• 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.

The VM was created with a static external IP address that was reserved in the project before theorganizational policy rule was set.

The organizational policy constraint wasn't properly enforced and is running in "dry run mode.

At project level, the organizational policy control has been overwritten with an 'allow' value.

The policy constraint on the folder level does not have any effect because of an allow" value for thatconstraint on the organizational level.

Multifactor Authentication

A strict password policy

Captcha on login pages

Encrypted emails

Public IP

IP Forwarding

Private Google Access

Static routes

IAM Network User Role

Enforce 2-factor authentication in GSuite for all users.

Configure Cloud Identity-Aware Proxy for the App Engine Application.

Provision user passwords using GSuite Password Sync.

Configure Cloud VPN between your private network and GCP.

•1 Create a dedicated service account for the CI/CD pipelines

•2 Run the deployment pipelines in a dedicated nodes pool in the GKE cluster

•3 Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs

•1 Create service accounts for each deployment pipeline

•2 Generate private keys for the service accounts

•3 Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline

* 1 Create individual service accounts (or each deployment pipeline

•2 Add an identifier for the pipeline in the service account naming convention

•3 Ensure each pipeline runs on dedicated pods

•4 Use workload identity to map a deployment pipeline pod with a service account

•1 Create two service accounts one for the infrastructure and one for the application deployment

•2 Use workload identities to let the pods run the two pipelines and authenticate with the service accounts

•3 Run the infrastructure and application pipelines in separate namespaces

Use Identity and Access Management (IAM) to restrict access of all users and service accounts that have access to the production environment.

Use organization policy constraints/iam.disableServiceAccountKeyCreation boolean to disable the creation of new service accounts.

Use organization policy constraints/iam.disableServiceAccountKeyUpload boolean to disable the creation of new service accounts.

Use organization policy constraints/iam.disableServiceAccountCreation boolean to disable the creation of new service accounts.

Google Cloud Armor

Cloud NAT

Cloud Router

Cloud VPN

Set up an ACL with OWNER permission to a scope of allUsers.

Set up an ACL with READER permission to a scope of allUsers.

Set up a default bucket ACL and manage access for users using IAM.

Set up Uniform bucket-level access on the Cloud Storage bucket and manage access for users using IAM.

External Key Manager

Customer-supplied encryption keys

Hardware Security Module

Confidential Computing and Istio

Client-side encryption

Send all logs to the SIEM system via an existing protocol such as syslog.

Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system.

Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow.

Build a connector for the SIEM to query for all logs in real time from the GCP RESTful JSON APIs.

Use Resource Manager on the organization level.

Use Forseti Security to automate inventory snapshots.

Use Stackdriver to create a dashboard across all projects.

Use Security Command Center to view all assets across the organization.

Use the Cloud SDK with their directory service to remove their IAM permissions in Cloud Identity.

Use the Cloud SDK with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to provision and deprovision users from Cloud Identity.

Configure Cloud Directory Sync with their directory service to remove their IAM permissions in Cloud Identity.

SSL Proxy

TCP Proxy

Internal TCP/UDP

TCP/UDP Network

1. Use StackDriver Logging and filter on BigQuery Insert Jobs.

2.Click on the email address in line with the App Engine Default Service Account in the authentication field.

3.Click Hide Matching Entries.

4.Make sure the resulting list is empty.

1. Use StackDriver Logging and filter on BigQuery Insert Jobs.

2.Click on the email address in line with the App Engine Default Service Account in the authentication field.

3.Click Show Matching Entries.

4.Make sure the resulting list is empty.

1. In BigQuery, select the related dataset.

2. Make sure the App Engine Default Service Account is the only account that can write to the dataset.

1. Go to the IAM section on the project.

2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.

Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.

Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.

Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module

(HSM) system from supported vendors.

Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.

Migrate the application into an isolated project using a “Lift & Shift” approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the

application to work properly.

Migrate the application into an isolated project using a “Lift & Shift” approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly.

Refactor the application into a micro-services architecture in a GKE cluster. Disable all traffic from outside the cluster using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Refactor the application into a micro-services architecture hosted in Cloud Functions in an isolated project.

Disable all traffic from outside your project using Firewall Rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups

Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.

Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.

Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket Upload the key to the Cloud Key ManagementService (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.

Build new base images when patches are available, and use a CI/CD pipeline to rebuild VMs, deploying incrementally.

Federate a Domain Controller into Compute Engine, and roll out weekly patches via Group Policy Object.

Use Deployment Manager to provision updated VMs into new serving Instance Groups (IGs).

Reboot all VMs during the weekly maintenance window and allow the StartUp Script to download the latest patches from the internet.

All load balancer types are denied in accordance with the global node’s policy.

INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder’s policy.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project’s policy.

EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project’s policies.

Upload the logs to both the shared bucket and the bucket with Pll that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain Pll from the shared bucket.

On the shared bucket, configure Object Lifecycle Management to delete objects that contain Pll.

On the shared bucket, configure a Cloud Storage trigger that is only triggered when Pll is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain Pll.

Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect Pll, have the function move the objects into the shared Cloud Storage bucket.

Configure an ingress policy for the perimeter in Project A and allow access for the service account in ProjectB to collect messages.

Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is locatedin Project A.

Create a perimeter bridge between Project A and Project B to allow the required communication betweenboth projects.

Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

Create an Alerting Policy in Stackdriver using a Process Health condition, checking that the number of executions of the script remains below the desired threshold. Enable notifications.

Create an Alerting Policy in Stackdriver using the CPU usage metric. Set the threshold to 80% to be notified when the CPU usage goes above this 80%.

Log every execution of the script to Stackdriver Logging. Create a User-defined metric in Stackdriver Logging on the logs, and create a Stackdriver Dashboard displaying the metric.

Log every execution of the script to Stackdriver Logging. Configure BigQuery as a log sink, and create a BigQuery scheduled query to count the number of executions in a specific timeframe.

Compute Network User Role at the host project level.

Compute Network User Role at the subnet level.

Compute Shared VPC Admin Role at the host project level.

Compute Shared VPC Admin Role at the service project level.

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Run all in-scope Pods in the namespace “in-scope-pci”.

• 1- Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build.

• 2. View the build provenance in the Security insights side panel within the Google Cloud console.

• 1. Review the software process.

• 2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact.

• 3. Publish the PGP signed attestation to your public web page.

• 1, Publish the software code on GitHub as open source.

• 2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.

• 1. Hire an external auditor to review and provide provenance

• 2. Define the scope and conditions.

• 3. Get support from the Security department or representative.

• 4. Publish the attestation to your public web page.

Text message or phone call code

Security key

Google Authenticator application

Google prompt

Turn off the domain restriction sharing organization policy. Set the policy value to "Allow All."

Turn off the domain restricted sharing organization policy. Provide the external partners with the required permissions using Google's Identity and Access Management (IAM) service.

Turn off the domain restricted sharing organization policy. Add each partner's Google Workspace customer ID to a Google group, add the Google group as an exception under the organization policy, and then turn the policy back on.

Turn off the domain restricted sharing organization policy. Set the policy value to "Custom." Add each external partner's Cloud Identity or Google Workspace customer ID as an exception under the organization policy, and then turn the policy back on.

Secret Manager

Cloud Key Management Service

Cloud Data Loss Prevention with cryptographic hashing

Cloud Data Loss Prevention with automatic text redaction

Cloud Data Loss Prevention with deterministic encryption using AES-SIV

Implement an Identity and Access Management (1AM) conditional policy to verify the device certificate

Implement a VPC firewall policy Activate packet inspection and create an allow rule to validate and verify the device certificate.

Implement an organization policy to verify the certificate from the access context.

Implement an Access Policy in BeyondCorp Enterprise to verify the device certificate Create an access binding with the access policy just created.

Deterministic encryption

Secure, key-based hashes

Format-preserving encryption

Cryptographic hashing

Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a

job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.

Mark all security findings that are irrelevant with a tag and a value that indicates a security exception Selectall marked findings and mute them on the console every time they appear Activate Security CommandCenter (SCC) Premium.

Activate Security Command Center (SCC) Premium Create a rule to mute the security findings in SCC sothey are not evaluated.

Download all findings from Security Command Center (SCC) to a CSV file Mark the findings that are part ofCIS Google Cloud Foundation 1 3 in the file Ignore the entries that are irrelevant and out of scope for thecompany.

Ask an external audit company to provide independent reports including needed CIS benchmarks. In thescope of the audit clarify that some of the controls are not needed and must be disregarded.

Run each tier in its own Project, and segregate using Project labels.

Run each tier with a different Service Account (SA), and use SA-based firewall rules.

Run each tier in its own subnet, and use subnet-based firewall rules.

Run each tier with its own VM tags, and use tag-based firewall rules.

1. Set up a Cloud VPN link between the on-premises environment and Google Cloud.

2. Configure private access using the restricted googleapis.com domains in on-premises DNS configurations.

1. Set up a Partner Interconnect link between the on-premises environment and Google Cloud.

2. Configure private access using the private.googleapis.com domains in on-premises DNS configurations.

1. Set up a Direct Peering link between the on-premises environment and Google Cloud.

2. Configure private access for both VPC subnets.

1. Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud.

2. Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations.

Enable theconstraints/compute.skipDefaultNetworkCreationorganization policy constraint at the organization level.

Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.

Grant your users the 1AM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts thecompute.googleapis.comAPI.

Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.

Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Configure arule to let principals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with your corporate Active Directory Federation Service (ADFS) Let allprincipals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with an OpenID Connect (OIDC) service on the name machine Configure arule to let principals in the pool impersonate the Google Cloud service account.

Set up a workload identity pool with an OpenID Connect (OIDC) service on the same machine Let allprincipals in the pool impersonate the Google Cloud service account.

1. Use separate Google Cloud projects to store Production and Non-Production secrets.

2. Enforce access control to secrets using project-level identity and Access Management (IAM) bindings.

3. Use customer-managed encryption keys to encrypt secrets.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.

2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.

3. Use Google-managed encryption keys to encrypt secrets.

1. Use separate Google Cloud projects to store Production and Non-Production secrets.

2. Enforce access control to secrets using secret-level Identity and Access Management (IAM) bindings.

3. Use Google-managed encryption keys to encrypt secrets.

1. Use a single Google Cloud project to store both Production and Non-Production secrets.

2. Enforce access control to secrets using project-level Identity and Access Management (IAM) bindings.

3. Use customer-managed encryption keys to encrypt secrets.