For data residency requirements, you want your secrets in Google Clouds Secret Manager to only have payloads in europe-west1 and europe-west4. Your secrets must be highly available in both regions.
What should you do?
A.
Create your secret with a user managed replication policy, and choose only compliant locations.
B.
Create your secret with an automatic replication policy, and choose only compliant locations.
C.
Create two secrets by using Terraform, one in europe-west1 and the other in europe-west4.
D.
Create your secret with an automatic replication policy, and create an organizational policy to deny secret creation in non-compliant locations.
B. Automatic Replication Policy: This does not allow you to specify locations, so it wouldn't meet your data residency requirements.
C. Two Secrets with Terraform: This approach is more complex and less efficient than using a user managed replication policy.
D. Automatic Replication with Organizational Policy: This would not provide the control needed to ensure secrets are only in the specified regions.
A is correct as per
https://cloud.google.com/secret-manager/docs/overview#:~:text=Ensure%20high%20availability%20and%20disaster,regardless%20of%20their%20geographic%20location.
Answer B:
Here's the rationale for this choice:
Secret Manager offers automatic replication for secrets, ensuring high availability by default. When you create a secret with an automatic replication policy, it automatically replicates the secret's data to multiple regions for redundancy.
By choosing only compliant locations (europe-west1 and europe-west4) in your automatic replication policy, you enforce that the secret's data is stored only in those two regions, meeting your data residency requirements.
A. Create your secret with a user managed replication policy, and choose only compliant locations.
Here's why:
User-managed replication lets you explicitly specify the secret's regions of replication, which aligns with the requirement to have payloads only in europe-west1 and europe-west4.
from ChatGPT-4:
The correct answer is A. Create your secret with a user-managed replication policy, and choose only compliant locations.
In Google Cloud's Secret Manager, secrets with a user-managed replication policy are replicated only in the user-specified locations. This can be used to ensure data residency requirements are met, as the secret data (payloads) will not be stored or replicated outside of the regions selected in the policy.
The automatic replication policy option (B and D) would not work because it replicates data across all regions in Google Cloud, which may violate the data residency requirements.
Creating two secrets using Terraform (C) in different regions could work from a data residency standpoint, but it could lead to management issues as you would have two separate secrets to manage instead of one.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
pfilourenco
Highly Voted 1 year, 8 months agoPime13
Most Recent 4 months, 2 weeks agoMoAk
5 months, 1 week agodesertlotus1211
1 year, 2 months agoiEM4D
1 year, 3 months agoArizonaClassics
1 year, 7 months agoMithung30
1 year, 8 months agoalkaloid
1 year, 8 months agokapara
1 year, 9 months ago