Google Exam Professional Cloud DevOps Engineer Topic 4 Question 60 Discussion

Actual exam question for Google's Professional Cloud DevOps Engineer exam

Question #: 60
Topic #: 4

[All Professional Cloud DevOps Engineer Questions]

You are designing a new Google Cloud organization for a client. Your client is concerned with the risks associated with long-lived credentials created in Google Cloud. You need to design a solution to completely eliminate the risks associated with the use of JSON service account keys while minimizing operational overhead. What should you do?

AUse custom versions of predefined roles to exclude all iam.serviceAccountKeys. * service account role permissions.

BApply the constraints/iam.disableserviceAccountKeycreation constraint to the organization.

CApply the constraints/iam. disableServiceAccountKeyUp10ad constraint to the organization.

DGrant the roles/ iam.serviceAccountKeyAdmin IAM role to organization administrators only.

Show Suggested Answer

Suggested Answer: B

The correct answer is B, Apply the constraints/iam.disableServiceAccountKeyCreation constraint to the organization.

According to the Google Cloud documentation, the constraints/iam.disableServiceAccountKeyCreation constraint is an organization policy constraint that prevents the creation of user-managed service account keys1. User-managed service account keys are long-lived credentials that can be downloaded as JSON or P12 files and used to authenticate as a service account2. These keys pose severe security risks if they are leaked, stolen, or misused by unauthorized entities34. By applying this constraint to the organization, you can completely eliminate the risks associated with the use of JSON service account keys and enforce a more secure alternative for authentication, such as Workload Identity or short-lived access tokens12. This also minimizes operational overhead by avoiding the need to manage, rotate, or revoke user-managed service account keys.

The other options are incorrect because they do not completely eliminate the risks associated with the use of JSON service account keys. Option A is incorrect because it only restricts the IAM permissions to create, list, get, delete, or sign service account keys, but it does not prevent existing keys from being used or leaked. Option C is incorrect because it only disables the upload of user-managed service account keys, but it does not prevent the creation or download of such keys. Option D is incorrect because it only limits the IAM role that can create and manage service account keys, but it does not prevent the keys from being distributed or exposed to unauthorized entities.

Disable user-managed service account key creation, Disable user-managed service account key creation. Service accounts, User-managed service accounts. Help keep your Google Cloud service account keys safe, Help keep your Google Cloud service account keys safe. Stop Downloading Google Cloud Service Account Keys!, Stop Downloading Google Cloud Service Account Keys! [Service Account Keys], Service Account Keys. [Disable user-managed service account key upload], Disable user-managed service account key upload. [Granting roles to service accounts], Granting roles to service accounts.

by Galen at Jan 27, 2024, 07:07 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud DevOps Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Catarina

8 months ago

Okay, let's break this down. We need to completely eliminate the risks associated with service account keys, but we also need to minimize operational overhead. That rules out option A, since it involves custom roles. I think option B is the way to go.

upvoted 0 times

...

8 months ago

I'm not a fan of this question. It seems like a trick question, trying to get us to choose the right combination of constraints and roles. I think the best approach is to completely eliminate the use of JSON service account keys.

upvoted 0 times

...