Topic 1 Question 247
Your company is moving its continuous integration and delivery (CI/CD) pipeline to Compute Engine instances. The pipeline will manage the entire cloud infrastructure through code. How can you ensure that the pipeline has appropriate permissions while your system is following security best practices?
• Attach a single service account to the compute instances. • Add minimal rights to the service account. • Allow the service account to impersonate a Cloud Identity user with elevated permissions to create, update, or delete resources.
• Add a step for human approval to the CI/CD pipeline before the execution of the infrastructure provisioning. • Use the human approvals IAM account for the provisioning.
• Attach a single service account to the compute instances. • Add all required Identity and Access Management (IAM) permissions to this service account to create, update, or delete resources.
• Create multiple service accounts, one for each pipeline with the appropriate minimal Identity and Access Management (IAM) permissions. • Use a secret manager service to store the key files of the service accounts. • Allow the CI/CD pipeline to request the appropriate secrets during the execution of the pipeline.
ユーザの投票
コメント(2)
- 正解だと思う選択肢: D
ChatGPT says Option D, By following this approach, you can ensure that your CI/CD pipeline has appropriate permissions while adhering to security best practices, including the principle of least privilege and secure management of credentials.
👍 2KelvinToo2023/12/31 - 正解だと思う選択肢: D
Principle of Least Privilege: Creating separate service accounts for different aspects of your CI/CD pipeline allows you to adhere to the principle of least privilege. This means each service account is granted only the permissions necessary for its specific role in the pipeline.
Security and Organization: Using multiple service accounts makes it easier to manage permissions, track activities, and audit usage for specific tasks or components of your CI/CD process.
Secret Management: Storing the service account key files in a secret manager service (like Google Cloud Secret Manager) enhances security. This approach securely manages and accesses these keys, reducing the risk of unauthorized access or exposure.
Dynamic Access: Allowing the CI/CD pipeline to request the appropriate secrets during execution ensures that credentials are provided only when needed and aren't unnecessarily exposed or stored in less secure environments.
👍 1Cynthia20232024/01/02
シャッフルモード