Google Exam Professional Cloud Security Engineer Topic 4 Question 88 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam

Question #: 88
Topic #: 4

[All Professional Cloud Security Engineer Questions]

You are developing a new application that uses exclusively Compute Engine VMs Once a day. this application will execute five different batch jobs Each of the batch jobs requires a dedicated set of permissions on Google Cloud resources outside of your application. You need to design a secure access concept for the batch jobs that adheres to the least-privilege principle

What should you do?

A1. Create a general service account **g-sa' to execute the batch jobs.
* 2 Grant the permissions required to execute the batch jobs to g-sa.
* 3. Execute the batch jobs with the permissions granted to g-sa

B1. Create a general service account 'g-sa' to orchestrate the batch jobs.
* 2. Create one service account per batch job Mb-sa-[1-5],' and grant only the permissions required to run the individual batch jobs to the service accounts.
* 3. Grant the Service Account Token Creator role to g-sa Use g-sa to obtain short-lived access tokens for b-sa-[1-5] and to execute the batch jobs with the permissions of b-sa-[1-5].

C1. Create a workload identity pool and configure workload identity pool providers for each batch job
* 2 Assign the workload identity user role to each of the identities configured in the providers.
* 3. Create one service account per batch job Mb-sa-[1-5]'. and grant only the permissions required to run the individual batch jobs to the service accounts
* 4 Generate credential configuration files for each of the providers Use these files to execute the batch jobs with the permissions of b-sa-[1-5].
D.
* 1. Create a general service account 'g-sa' to orchestrate the batch jobs.
* 2 Create one service account per batch job 'b-sa-[1-5)\ Grant only the permissions required to run the individual batch jobs to the service accounts and generate service account keys for each of these service accounts
* 3. Store the service account keys in Secret Manager. Grant g-sa access to Secret Manager and run the batch jobs with the permissions of b-sa-[1-5].

Show Suggested Answer

Suggested Answer: B

by Eric at Sep 14, 2024, 04:00 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Security Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Quentin

1 months ago

I'm just glad they didn't include an option that involves manually editing a 500-line YAML file. That's the kind of thing that keeps me up at night.

upvoted 0 times

...

Darell

1 months ago

Is it just me, or does this question sound like it was written by a robot? I'm half-expecting the correct answer to be 'All of the above'.

upvoted 0 times

...

Raylene

1 months ago

I prefer option D. Storing service account keys in Secret Manager adds an extra layer of security.

upvoted 0 times

...

Option C is indeed a great choice. Workload identity pools make it easy to manage permissions for each batch job.

upvoted 0 times

...

1 months ago

upvoted 0 times

...

Julene

2 months ago

I think option B is the best choice. It allows for individual permissions for each batch job.

upvoted 0 times

...