Topic 1 Question 242
You recently discovered that your developers are using many service account keys during their development process. While you work on a long term improvement, you need to quickly implement a process to enforce short-lived service account credentials in your company. You have the following requirements:
• All service accounts that require a key should be created in a centralized project called pj-sa. • Service account keys should only be valid for one day.
You need a Google-recommended solution that minimizes cost. What should you do?
Implement a Cloud Run job to rotate all service account keys periodically in pj-sa. Enforce an org policy to deny service account key creation with an exception to pj-sa.
Implement a Kubernetes CronJob to rotate all service account keys periodically. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.
Enforce an org policy constraint allowing the lifetime of service account keys to be 24 hours. Enforce an org policy constraint denying service account key creation with an exception on pj-sa.
Enforce a DENY org policy constraint over the lifetime of service account keys for 24 hours. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.
ユーザの投票
コメント(6)
- 正解だと思う選択肢: C
it should be C
👍 33arle2023/08/09 Answer is C. Constraint: constraints/iam.serviceAccountKeyExpiryHours does not accept DENY values so D can not be correct.
👍 2niedobry2023/08/03- 正解だと思う選択肢: C
You can use an org policy to enforce a 24-hour lifetime for service account keys. You can use an org policy to deny service account key creation, with an exception for the pj-sa project. This is a Google-recommended solution and it is relatively inexpensive.
👍 2qannik2023/08/05
シャッフルモード