Google Exam Associate Cloud Engineer Topic 2 Question 81 Discussion

Actual exam question for Google's Associate Cloud Engineer exam

Question #: 81
Topic #: 2

[All Associate Cloud Engineer Questions]

Your company is moving its continuous integration and delivery (CI/CD) pipeline to Compute Engine instances. The pipeline will manage the entire cloud infrastructure through code. How can you ensure that the pipeline has appropriate permissions while your system is following security best practices?

A* Add a step for human approval to the CI/CD pipeline before the execution of the infrastructure
provisioning.
* Use the human approvals IAM account for the provisioning.

B* Attach a single service account to the compute instances.
* Add minimal rights to the service account.
* Allow the service account to impersonate a Cloud Identity user with elevated permissions to create, update, or delete resources.

C* Attach a single service account to the compute instances.
* Add all required Identity and Access Management (IAM) permissions to this service account to create, update, or delete resources

D* Create multiple service accounts, one for each pipeline with the appropriate minimal Identity and
Access Management (IAM) permissions.
* Use a secret manager service to store the key files of the service accounts.
* Allow the CI/CD pipeline to request the appropriate secrets during the execution of the pipeline.

Show Suggested Answer

Suggested Answer: D

Instance groups are collections of virtual machine (VM) instances that you can manage as a single entity. Instance groups can help you simplify the management of multiple instances, reduce operational costs, and improve the availability and performance of your applications. Instance groups support autoscaling, which automatically adds or removes instances from the group based on increases or decreases in load. Autoscaling helps your applications gracefully handle increases in traffic and reduces cost when the need for resources is lower. You can set the autoscaling policy based on CPU utilization, load balancing capacity, Cloud Monitoring metrics, or a queue-based workload. In this case, since the video encoding software is CPU-intensive, setting the autoscaling based on CPU utilization is the best option to ensure high availability and optimal performance.Reference:

Instance groups

Autoscaling groups of instances

by Sophia at Apr 29, 2024, 04:38 AM

Limited Time Offer

25%

Off

Get Premium Associate Cloud Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Kenneth

4 days ago

I heard they're also moving the coffee machine to the cloud. Should make for some interesting DevOps stories.

upvoted 0 times

...

Maryann

6 days ago

Hmm, Option A with human approval? Looks like someone's trying to get out of work. Let's just automate this whole thing and call it a day!

upvoted 0 times

...

Nan

9 days ago

Option D looks the most comprehensive to me. Using a secret manager to store the service account keys and allowing the pipeline to request the appropriate secrets is a smart way to manage permissions.

upvoted 0 times

Filiberto

18 hours ago

I agree, using a secret manager for storing keys adds an extra layer of security.

upvoted 0 times

...

Lavonna

5 days ago

Option D looks the most comprehensive to me.

upvoted 0 times

...

Amalia

13 days ago

I'm not sure I agree with Option B. Wouldn't it be better to just give the service account all the required permissions instead of impersonating another user?

upvoted 0 times

...

Staci

16 days ago

Option B seems like the most secure approach. Impersonating a Cloud Identity user with elevated permissions is a great way to minimize the service account's rights.

upvoted 0 times

Pansy

7 days ago

I agree, option B does seem like a secure approach.

upvoted 0 times

...

Tamesha

25 days ago

That's a good point, Tammara. Option D does provide better security measures by using separate service accounts and secret management. It's important to prioritize security when setting up the pipeline.

upvoted 0 times

...

Tammara

29 days ago

I disagree, I believe option D is more secure. Creating multiple service accounts with minimal IAM permissions and using a secret manager service for key files adds an extra layer of security to the CI/CD pipeline.

upvoted 0 times

...

Tamesha

30 days ago

I think option B is the best choice. By attaching a single service account with minimal rights, we can ensure security while allowing the account to impersonate a Cloud Identity user with elevated permissions.

upvoted 0 times

...