You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?
A.
Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
B.
Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.
C.
Create a custom service account for the cluster. Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level
D.
Create a custom service account for the cluster. Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.
Disable service account key creation
You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint.
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint
Yes
C. Create a custom service account for the cluster. Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level
C. Create a custom service account for the cluster. Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level
To minimize the risk of credentials being stolen by a third party when deploying your cloud infrastructure using a CI/CD cluster hosted on Compute Engine, you should create a custom service account for the cluster and enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level.
By creating a custom service account for the cluster, you can have more control over the permissions and access granted to the cluster. This allows you to follow the principle of least privilege and ensure that only the necessary permissions are assigned to the service account.
Enabling the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level helps prevent unauthorized access to the service account’s credentials by disabling the creation of new service account keys.
"C"
Service Account Keys get exported outside GCP to local machines and this is where the main risk comes from. Therefore you can mitigate this risk by disabling the creation of service account keys.
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_key_creation
Answer is (C).
To minimize the risk of credentials being stolen by third parties, it is desirable to control the use of unmanaged long-term credentials.
・"constraints/iam.allowServiceAccountCredentialLifetimeExtension": to extend the lifetime of the access token.
・"iam.disableServiceAccountCreation": Disables service account creation.
・"iam.disableServiceAccountCreation": Controls the use of unmanaged long-term credentials for service accounts.
Ref : https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ExamQnA
Highly Voted 2 years, 11 months agoAzureDP900
2 years, 5 months agoZek
Most Recent 4 months, 4 weeks agoXoxoo
1 year, 7 months ago[Removed]
1 year, 9 months agomikesp
2 years, 11 months agomT3
2 years, 11 months ago