Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Google Exam Professional Cloud DevOps Engineer Topic 4 Question 60 Discussion

Actual exam question for Google's Professional Cloud DevOps Engineer exam
Question #: 60
Topic #: 4
[All Professional Cloud DevOps Engineer Questions]

You are designing a new Google Cloud organization for a client. Your client is concerned with the risks associated with long-lived credentials created in Google Cloud. You need to design a solution to completely eliminate the risks associated with the use of JSON service account keys while minimizing operational overhead. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: B

The correct answer is B, Apply the constraints/iam.disableServiceAccountKeyCreation constraint to the organization.

According to the Google Cloud documentation, the constraints/iam.disableServiceAccountKeyCreation constraint is an organization policy constraint that prevents the creation of user-managed service account keys1. User-managed service account keys are long-lived credentials that can be downloaded as JSON or P12 files and used to authenticate as a service account2. These keys pose severe security risks if they are leaked, stolen, or misused by unauthorized entities34. By applying this constraint to the organization, you can completely eliminate the risks associated with the use of JSON service account keys and enforce a more secure alternative for authentication, such as Workload Identity or short-lived access tokens12. This also minimizes operational overhead by avoiding the need to manage, rotate, or revoke user-managed service account keys.

The other options are incorrect because they do not completely eliminate the risks associated with the use of JSON service account keys. Option A is incorrect because it only restricts the IAM permissions to create, list, get, delete, or sign service account keys, but it does not prevent existing keys from being used or leaked. Option C is incorrect because it only disables the upload of user-managed service account keys, but it does not prevent the creation or download of such keys. Option D is incorrect because it only limits the IAM role that can create and manage service account keys, but it does not prevent the keys from being distributed or exposed to unauthorized entities.


Disable user-managed service account key creation, Disable user-managed service account key creation. Service accounts, User-managed service accounts. Help keep your Google Cloud service account keys safe, Help keep your Google Cloud service account keys safe. Stop Downloading Google Cloud Service Account Keys!, Stop Downloading Google Cloud Service Account Keys! [Service Account Keys], Service Account Keys. [Disable user-managed service account key upload], Disable user-managed service account key upload. [Granting roles to service accounts], Granting roles to service accounts.

Contribute your Thoughts:

Catarina
8 months ago
Okay, let's break this down. We need to completely eliminate the risks associated with service account keys, but we also need to minimize operational overhead. That rules out option A, since it involves custom roles. I think option B is the way to go.
upvoted 0 times
...
Tuyet
8 months ago
Haha, I bet the exam writers are feeling pretty clever with this one. But you know what they say, 'There's no such thing as a free lunch.' We'll have to be strategic in our approach.
upvoted 0 times
Raelene
8 months ago
Haha, I bet the exam writers are feeling pretty clever with this one. But you know what they say, 'There's no such thing as a free lunch.' We'll have to be strategic in our approach.
upvoted 0 times
...
Cammy
8 months ago
D) Grant the roles/ iam.serviceAccountKeyAdmin IAM role to organization administrators only.
upvoted 0 times
...
Nilsa
8 months ago
B) Apply the constraints/iam.disableserviceAccountKeycreation constraint to the organization.
upvoted 0 times
...
Jacki
8 months ago
A) Use custom versions of predefined roles to exclude all iam.serviceAccountKeys. * service account role permissions.
upvoted 0 times
...
...
Agustin
8 months ago
I agree, the question seems a bit convoluted. But I think the key here is to minimize operational overhead while completely eliminating the risks. That means we need to apply constraints at the organization level.
upvoted 0 times
...
Tish
8 months ago
I'm not a fan of this question. It seems like a trick question, trying to get us to choose the right combination of constraints and roles. I think the best approach is to completely eliminate the use of JSON service account keys.
upvoted 0 times
...

Save Cancel