The correct answer is A Kubernetes Secret object.

A Kubernetes Secret object keeps sensitive credentials out of manifest files by storing them in a dedicated Kubernetes resource that can be mounted into pods as files or injected as environment variables. You can restrict access with RBAC and enable encryption at rest so the sensitive data is not exposed in the resource definition itself.

A Kubernetes ConfigMap is designed for non sensitive configuration data and is stored in plain text, so it does not provide the confidentiality guarantees needed for credentials.

Google Secret Manager is an external cloud secret store and it can be used alongside Kubernetes, but the question is asking for the Kubernetes mechanism to avoid embedding secrets in manifest files and the expected answer is the native Secret object rather than an external service.

Environment variables placed directly in the manifest file embed secrets in plain text inside the resource definition and so they are exposed and should be avoided.

Full AWS Practitioner Certification Question