Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Google Professional Cloud DevOps Engineer Exam - Topic 4 Question 60 Discussion

Actual exam question for Google's Professional Cloud DevOps Engineer exam
Question #: 60
Topic #: 4
[All Professional Cloud DevOps Engineer Questions]

You are designing a new Google Cloud organization for a client. Your client is concerned with the risks associated with long-lived credentials created in Google Cloud. You need to design a solution to completely eliminate the risks associated with the use of JSON service account keys while minimizing operational overhead. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: B

The correct answer is B, Apply the constraints/iam.disableServiceAccountKeyCreation constraint to the organization.

According to the Google Cloud documentation, the constraints/iam.disableServiceAccountKeyCreation constraint is an organization policy constraint that prevents the creation of user-managed service account keys1. User-managed service account keys are long-lived credentials that can be downloaded as JSON or P12 files and used to authenticate as a service account2. These keys pose severe security risks if they are leaked, stolen, or misused by unauthorized entities34. By applying this constraint to the organization, you can completely eliminate the risks associated with the use of JSON service account keys and enforce a more secure alternative for authentication, such as Workload Identity or short-lived access tokens12. This also minimizes operational overhead by avoiding the need to manage, rotate, or revoke user-managed service account keys.

The other options are incorrect because they do not completely eliminate the risks associated with the use of JSON service account keys. Option A is incorrect because it only restricts the IAM permissions to create, list, get, delete, or sign service account keys, but it does not prevent existing keys from being used or leaked. Option C is incorrect because it only disables the upload of user-managed service account keys, but it does not prevent the creation or download of such keys. Option D is incorrect because it only limits the IAM role that can create and manage service account keys, but it does not prevent the keys from being distributed or exposed to unauthorized entities.


Disable user-managed service account key creation, Disable user-managed service account key creation. Service accounts, User-managed service accounts. Help keep your Google Cloud service account keys safe, Help keep your Google Cloud service account keys safe. Stop Downloading Google Cloud Service Account Keys!, Stop Downloading Google Cloud Service Account Keys! [Service Account Keys], Service Account Keys. [Disable user-managed service account key upload], Disable user-managed service account key upload. [Granting roles to service accounts], Granting roles to service accounts.

by Galen at Jan 27, 2024, 07:07 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud DevOps Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Miesha
4 months ago
D sounds too restrictive for admins, might cause issues.
upvoted 0 times
...
Erasmo
4 months ago
C doesn't really address the long-lived credential issue.
upvoted 0 times
...
Rocco
4 months ago
Wow, I didn't know disabling key creation was an option!
upvoted 0 times
...
Felicitas
4 months ago
I disagree, A seems more flexible for custom roles.
upvoted 0 times
...
Luis
5 months ago
B is the best option to eliminate those risks.
upvoted 0 times
...
Cecily
5 months ago
I recall that limiting who can create keys is important, so option D seems like it could help, but I wonder if it’s enough on its own.
upvoted 0 times
...
Jesse
5 months ago
I practiced a similar question where we had to manage service account keys, and I think option C might be relevant, but I’m not confident about the specifics.
upvoted 0 times
...
Jesus
5 months ago
I'm not entirely sure, but I feel like option A could help with permissions, but it might not fully address the long-lived key issue.
upvoted 0 times
...
Willard
5 months ago
I remember discussing the risks of long-lived credentials in our study group, and I think option B makes the most sense to eliminate those risks completely.
upvoted 0 times
...
Isaiah
5 months ago
This is a tricky question, but I think I have a good handle on it. Option D, granting the roles/iam.serviceAccountKeyAdmin IAM role to organization administrators only, could be a good approach. It would limit access to service account keys and help mitigate the risks. I'll need to double-check the details, but I'm feeling confident about this solution.
upvoted 0 times
...
Noble
5 months ago
Okay, I think I've got a good strategy for this. Option B, applying the constraints/iam.disableServiceAccountKeyCreation constraint to the organization, seems like the most straightforward way to completely eliminate the risks. It's a simple solution that should minimize operational overhead. I'm feeling pretty good about this one.
upvoted 0 times
...
Sarah
5 months ago
Hmm, this is a tricky one. I'm not entirely sure which approach would be the best. I'm considering option A, using custom versions of predefined roles to exclude all iam.serviceAccountKeys.* service account role permissions, but I'm not confident that would fully eliminate the risks. I'll need to think this through carefully.
upvoted 0 times
...
Cristy
5 months ago
This question seems straightforward - I think the key is to find a way to completely eliminate the risks associated with service account keys while minimizing operational overhead. I'm leaning towards option B, applying the constraints/iam.disableServiceAccountKeyCreation constraint to the organization.
upvoted 0 times
...
Callie
5 months ago
I think this question is testing our understanding of the different components in Power Automate flows. The key here is to identify the right tool to check the email criteria, and based on the options, I believe expressions would be the way to go.
upvoted 0 times
...
Vilma
6 months ago
Okay, I've got a strategy for this. I'll start by identifying the most important priority, which is clearly "imminent danger." Then I'll try to logically order the remaining priorities based on their descriptions.
upvoted 0 times
...
Sharen
6 months ago
C mentions custom Python script mode, which I think we covered briefly. It sounds advanced, but I feel like they could have mixed up some details.
upvoted 0 times
...
Colette
6 months ago
I'm pretty confident the answer is B. The "action" command is what specifies how the packets should be handled.
upvoted 0 times
...
Anjelica
6 months ago
I don't recall much about shrink-to attributes in this context. Maybe they could help, but I'm not entirely convinced that's what we're looking for.
upvoted 0 times
...
Catarina
2 years ago
Okay, let's break this down. We need to completely eliminate the risks associated with service account keys, but we also need to minimize operational overhead. That rules out option A, since it involves custom roles. I think option B is the way to go.
upvoted 0 times
...
Tuyet
2 years ago
Haha, I bet the exam writers are feeling pretty clever with this one. But you know what they say, 'There's no such thing as a free lunch.' We'll have to be strategic in our approach.
upvoted 0 times
Raelene
2 years ago
Haha, I bet the exam writers are feeling pretty clever with this one. But you know what they say, 'There's no such thing as a free lunch.' We'll have to be strategic in our approach.
upvoted 0 times
...
Cammy
2 years ago
D) Grant the roles/ iam.serviceAccountKeyAdmin IAM role to organization administrators only.
upvoted 0 times
...
Nilsa
2 years ago
B) Apply the constraints/iam.disableserviceAccountKeycreation constraint to the organization.
upvoted 0 times
...
Jacki
2 years ago
A) Use custom versions of predefined roles to exclude all iam.serviceAccountKeys. * service account role permissions.
upvoted 0 times
...
...
Agustin
2 years ago
I agree, the question seems a bit convoluted. But I think the key here is to minimize operational overhead while completely eliminating the risks. That means we need to apply constraints at the organization level.
upvoted 0 times
...
Tish
2 years ago
I'm not a fan of this question. It seems like a trick question, trying to get us to choose the right combination of constraints and roles. I think the best approach is to completely eliminate the use of JSON service account keys.
upvoted 0 times
...

Save Cancel