Topic 1 Question 117
You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?
Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.
Create a custom service account for the cluster. Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level
Create a custom service account for the cluster. Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.
解説
ユーザの投票
コメント(3)
- 正解だと思う選択肢: C
Disable service account key creation You can use the iam.disableServiceAccountKeyCreation boolean constraint to disable the creation of new external service account keys. This allows you to control the use of unmanaged long-term credentials for service accounts. When this constraint is set, user-managed credentials cannot be created for service accounts in projects affected by the constraint. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint
👍 6ExamQnA2022/05/22 - 正解だと思う選択肢: C
Also think it is C
👍 4mikesp2022/06/02 - 正解だと思う選択肢: C
Answer is (C). To minimize the risk of credentials being stolen by third parties, it is desirable to control the use of unmanaged long-term credentials. ・"constraints/iam.allowServiceAccountCredentialLifetimeExtension": to extend the lifetime of the access token. ・"iam.disableServiceAccountCreation": Disables service account creation. ・"iam.disableServiceAccountCreation": Controls the use of unmanaged long-term credentials for service accounts. Ref : https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#example_policy_boolean_constraint
👍 2mT32022/05/19
シャッフルモード
