🔥 3-day streak
Professional Cloud Architect90 / 169
Question 90 of 169
A financial services company runs sensitive workloads on a Google Kubernetes Engine (GKE) Standard cluster. During a compliance audit, the security team learns that Kubernetes Secrets (containing API tokens and database passwords) are stored in etcd only base64-encoded, not encrypted with a key the company controls. Regulators require that any at-rest secret material be protected by a customer-managed encryption key with the ability to disable access. What should the architect implement to meet this requirement with the least operational overhead?
Reviewed for accuracy · Report an issueNext question