ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Associate Cloud Engineer All Questions

View all questions & answers for the Associate Cloud Engineer exam
Go to Exam

Exam Associate Cloud Engineer topic 1 question 242 discussion

Actual exam question from Google's Associate Cloud Engineer
Question #: 242
Topic #: 1
[All Associate Cloud Engineer Questions]

You recently discovered that your developers are using many service account keys during their development process. While you work on a long term improvement, you need to quickly implement a process to enforce short-lived service account credentials in your company. You have the following requirements:

• All service accounts that require a key should be created in a centralized project called pj-sa.
• Service account keys should only be valid for one day.

You need a Google-recommended solution that minimizes cost. What should you do?

  • A. Implement a Cloud Run job to rotate all service account keys periodically in pj-sa. Enforce an org policy to deny service account key creation with an exception to pj-sa.
  • B. Implement a Kubernetes CronJob to rotate all service account keys periodically. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.
  • C. Enforce an org policy constraint allowing the lifetime of service account keys to be 24 hours. Enforce an org policy constraint denying service account key creation with an exception on pj-sa.
  • D. Enforce a DENY org policy constraint over the lifetime of service account keys for 24 hours. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by niedobry at Aug. 3, 2023, 6:55 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
qannik
Highly Voted 9 months, 4 weeks ago
Selected Answer: C
You can use an org policy to enforce a 24-hour lifetime for service account keys. You can use an org policy to deny service account key creation, with an exception for the pj-sa project. This is a Google-recommended solution and it is relatively inexpensive.
upvoted 5 times
...
joao_01
Most Recent 8 months, 2 weeks ago
Selected Answer: C
Its C, makes sense
upvoted 3 times
...
Captain1212
8 months, 3 weeks ago
c is the coorect answer
upvoted 3 times
...
scanner2
8 months, 3 weeks ago
Selected Answer: C
C is correct. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#limit_key_expiry https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_key_creation
upvoted 3 times
...
3arle
9 months, 3 weeks ago
Selected Answer: C
it should be C
upvoted 3 times
...
niedobry
10 months ago
Answer is C. Constraint: constraints/iam.serviceAccountKeyExpiryHours does not accept DENY values so D can not be correct.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel