Google Exam Professional Cloud Security Engineer Topic 4 Question 88 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam

Question #: 88
Topic #: 4

[All Professional Cloud Security Engineer Questions]

You are developing a new application that uses exclusively Compute Engine VMs Once a day. this application will execute five different batch jobs Each of the batch jobs requires a dedicated set of permissions on Google Cloud resources outside of your application. You need to design a secure access concept for the batch jobs that adheres to the least-privilege principle

What should you do?

A1. Create a general service account **g-sa' to execute the batch jobs.
* 2 Grant the permissions required to execute the batch jobs to g-sa.
* 3. Execute the batch jobs with the permissions granted to g-sa

B1. Create a general service account 'g-sa' to orchestrate the batch jobs.
* 2. Create one service account per batch job Mb-sa-[1-5],' and grant only the permissions required to run the individual batch jobs to the service accounts.
* 3. Grant the Service Account Token Creator role to g-sa Use g-sa to obtain short-lived access tokens for b-sa-[1-5] and to execute the batch jobs with the permissions of b-sa-[1-5].

C1. Create a workload identity pool and configure workload identity pool providers for each batch job
* 2 Assign the workload identity user role to each of the identities configured in the providers.
* 3. Create one service account per batch job Mb-sa-[1-5]'. and grant only the permissions required to run the individual batch jobs to the service accounts
* 4 Generate credential configuration files for each of the providers Use these files to execute the batch jobs with the permissions of b-sa-[1-5].
D.
* 1. Create a general service account 'g-sa' to orchestrate the batch jobs.
* 2 Create one service account per batch job 'b-sa-[1-5)\ Grant only the permissions required to run the individual batch jobs to the service accounts and generate service account keys for each of these service accounts
* 3. Store the service account keys in Secret Manager. Grant g-sa access to Secret Manager and run the batch jobs with the permissions of b-sa-[1-5].

Show Suggested Answer

Suggested Answer: B

by Eric at Sep 14, 2024, 04:00 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Security Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Quentin

6 months ago

I'm just glad they didn't include an option that involves manually editing a 500-line YAML file. That's the kind of thing that keeps me up at night.

upvoted 0 times

...

Darell

6 months ago

Is it just me, or does this question sound like it was written by a robot? I'm half-expecting the correct answer to be 'All of the above'.

upvoted 0 times

...

Raylene

6 months ago

I prefer option D. Storing service account keys in Secret Manager adds an extra layer of security.

upvoted 0 times

...

Melissa

7 months ago

Option D with the service account keys stored in Secret Manager is an interesting approach, but it feels a bit more complex than the other options. I'm not sure it's necessary for this use case.

upvoted 0 times

Olga

6 months ago

Option D does seem a bit complex with storing service account keys in Secret Manager, but it could provide an extra layer of security for the batch jobs.

upvoted 0 times

...

Destiny

6 months ago

I agree, Option B with individual service accounts for each batch job and using short-lived access tokens seems like a secure way to adhere to the least-privilege principle.

upvoted 0 times

...

Emmanuel

6 months ago

Option A seems like a simple solution to grant permissions to a general service account for executing batch jobs.

upvoted 0 times

...

Rochell

7 months ago

I agree with Julene. Option B ensures least-privilege access for each batch job.

upvoted 0 times

...

Valene

7 months ago

I like how option C uses workload identity pools to manage the permissions for each batch job. That seems like a really elegant and scalable solution.

upvoted 0 times

Deeanna

5 months ago

I think option C is the way to go for secure access to the batch jobs.

upvoted 0 times

...

Mose

5 months ago

It's definitely an elegant way to handle permissions for each batch job.

upvoted 0 times

...

Bette

6 months ago

I agree, using workload identity pools seems like a scalable solution for managing permissions.

upvoted 0 times

...

Mattie

6 months ago

Option C sounds like a great choice for managing permissions with workload identity pools.

upvoted 0 times

...

Nicholle

6 months ago

It's important to follow the least-privilege principle when designing access for batch jobs. Option C seems to do that effectively.

upvoted 0 times

...

Sabra

7 months ago

I agree, using workload identity pools seems like a secure and scalable solution for managing permissions.

upvoted 0 times

...

Precious

7 months ago

Option C is indeed a great choice. Workload identity pools make it easy to manage permissions for each batch job.

upvoted 0 times

...

Julianna

7 months ago

Option B looks like the way to go. Creating individual service accounts for each batch job and using a general service account to orchestrate them seems like a good way to follow the least-privilege principle.

upvoted 0 times

Anastacia

6 months ago

Using a general service account to obtain short-lived access tokens for the individual batch job service accounts adds an extra layer of security to the process.

upvoted 0 times

...