Exam Professional Cloud Security Engineer topic 1 question 172 discussion

I think the answer should D. Option B gives them "Always On" permissions but the question asks for "Just in time" permissions. So, this is possible only with a Service Account. Once the incident response team resolves the issue, the service account key can be disabled.

It follows best practices and has traceability

IAM role to DevOps team member is wrong - not fulfill least privilege principle Service account with "limited list/view permissions" to DevOps team member is correct - least privilege principle - more flexibility

i vote B. Options A and C grant broader permissions than necessary, which does not align with the least-privilege principle. Option D involves using a service account, which is not the best practice for granting temporary access to human users. By creating a custom IAM role, you ensure that the DevOps team has the precise permissions needed for their tasks, and you can easily adjust or revoke these permissions as necessary

Why Option D is Best: Least-Privilege Access: Permissions are limited to only what is necessary for the investigation by tailoring the service account’s IAM role. Controlled Access: By managing the service account or its impersonation permissions, you can ensure the DevOps team can access the resources only during deployment issues.

D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team. This option allows you to create a service account with limited access rights (list/view), and the DevOps team will be able to use this service account only when needed. This is consistent with the principle of least privilege and incident-only access.

D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team. This option allows you to create a service account with limited access rights (list/view), and the DevOps team will be able to use this service account only when needed. This is consistent with the principle of least privilege and incident-only access.

D. This approach allows the creation of a service account with specific limited permissions necessary for investigating deployment issues. The DevOps team can then be granted the Service Account User role on this service account. This setup ensures that the DevOps team can use the service account with appropriate permissions only when needed, fulfilling both requirements of least-privilege access and temporary access

Its (D) according https://cloud.google.com/iam/docs/best-practices-service-accounts "Some applications only require access to certain resources at specific times or under specific circumstances....In such scenarios, using a single service account and granting it access to all resources goes against the principle of least privilege"

D. -Least Privilege: By creating a service account with restricted permissions (limited list/view access to specific resources), you adhere to the principle of least privilege. The DevOps team can only access the information needed for investigation without broader project-level control. -Temporary Access: Service accounts are not tied to individual users. Once the investigation is complete, you can simply revoke access to the service account from the DevOps team, effectively removing their access to the resources. This ensures temporary access for the specific incident.

Answer is B, it sets least-privilege access.

Any DevOps Engineer knows verywell, it is D

B or D, I prefer B because of traceability, impersonating an account is harder to audit in relation to using personal account.

I go with D, While B seems to allows defining specific permissions, it adds complexity to the access control strategy and might still grant more access than necessary.

B follows the google best practices

Answer should be B

The real answer shouldn be 'breakglass' tool.