Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Google Discussions

Exam Professional Cloud Security Engineer topic 1 question 172 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 172
Topic #: 1
[All Professional Cloud Security Engineer Questions]

You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:
✑ Least-privilege access must be enforced at all times.
✑ The DevOps team must be able to access the required resources only during the deployment issue.
How should you grant access while following Google-recommended best practices?

  • A. Assign the Project Viewer Identity and Access Management (IAM) role to the DevOps team.
  • B. Create a custom IAM role with limited list/view permissions, and assign it to the DevOps team.
  • C. Create a service account, and grant it the Project Owner IAM role. Give the Service Account User Role on this service account to the DevOps team.
  • D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Baburao at Sept. 3, 2022, 7:10 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Baburao
Highly Voted 1 year, 8 months ago
I think the answer should D. Option B gives them "Always On" permissions but the question asks for "Just in time" permissions. So, this is possible only with a Service Account. Once the incident response team resolves the issue, the service account key can be disabled.
upvoted 16 times
pfilourenco
9 months, 1 week ago
You can create "Just in time" permissions with IAM conditions.
upvoted 5 times
...
...
shanwford
Most Recent 1 week, 5 days ago
Selected Answer: D
Its (D) according https://cloud.google.com/iam/docs/best-practices-service-accounts "Some applications only require access to certain resources at specific times or under specific circumstances....In such scenarios, using a single service account and granting it access to all resources goes against the principle of least privilege"
upvoted 2 times
...
Bettoxicity
1 month ago
Selected Answer: D
D. -Least Privilege: By creating a service account with restricted permissions (limited list/view access to specific resources), you adhere to the principle of least privilege. The DevOps team can only access the information needed for investigation without broader project-level control. -Temporary Access: Service accounts are not tied to individual users. Once the investigation is complete, you can simply revoke access to the service account from the DevOps team, effectively removing their access to the resources. This ensures temporary access for the specific incident.
upvoted 1 times
...
glb2
1 month, 2 weeks ago
Selected Answer: B
Answer is B, it sets least-privilege access.
upvoted 1 times
...
dija123
1 month, 3 weeks ago
Selected Answer: D
Any DevOps Engineer knows verywell, it is D
upvoted 1 times
...
Nachtwaker
2 months ago
Selected Answer: B
B or D, I prefer B because of traceability, impersonating an account is harder to audit in relation to using personal account.
upvoted 2 times
...
dija123
2 months ago
Selected Answer: D
I go with D, While B seems to allows defining specific permissions, it adds complexity to the access control strategy and might still grant more access than necessary.
upvoted 1 times
...
JoaquinJimenezGarcia
5 months ago
Selected Answer: B
B follows the google best practices
upvoted 2 times
...
rglearn
7 months, 2 weeks ago
Selected Answer: B
Answer should be B
upvoted 1 times
...
desertlotus1211
7 months, 4 weeks ago
The real answer shouldn be 'breakglass' tool.
upvoted 1 times
...
ymkk
8 months, 1 week ago
Between B and D, I choose D Because option B Granting IAM roles to the DevOps team directly would give them ongoing, not temporary, access.
upvoted 3 times
...
cyberpunk21
8 months, 2 weeks ago
Selected Answer: B
I go with B, if we consider D we need to assume too many things and B is simple custom role with JIT condition can address all the issues.
upvoted 3 times
...
ITIFR78
8 months, 2 weeks ago
Selected Answer: B
B is more relvant
upvoted 2 times
...
akg001
8 months, 3 weeks ago
Selected Answer: B
B is right answer.
upvoted 1 times
...
pfilourenco
9 months, 1 week ago
Selected Answer: B
I will go to B, since only with custom roles you can have Least-privilege access enforced at all times. And you can create "Just in time" permissions with IAM conditions.
upvoted 3 times
...
shayke
1 year, 4 months ago
ans is D
upvoted 4 times
...
AzureDP900
1 year, 6 months ago
D is right
upvoted 4 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel