Topic 1 Question 146
Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?
Configure Secret Manager to manage service account keys.
Enable an organization policy to disable service accounts from being created.
Enable an organization policy to prevent service account keys from being created.
Remove the iam.serviceAccounts.getAccessToken permission from users.
ユーザの投票
コメント(3)
- 正解だと思う選択肢: C
C. https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys "To prevent unnecessary usage of service account keys, use organization policy constraints:
At the root of your organization's resource hierarchy, apply the Disable service account key creation and Disable service account key upload constraints to establish a default where service account keys are disallowed. When needed, override one of the constraints for selected projects to re-enable service account key creation or upload."
👍 3Random_Mane2022/09/09 C seems to be a correct option but there must be an exclusion for CI/CD pipelines or SuperAdmins/OrgAdmins. Otherwise, nobody will be able to create ServiceAccount Keys.
👍 2Baburao2022/09/03- 正解だと思う選択肢: C
C. Enable an organization policy to prevent service account keys from being created.
👍 2AwesomeGCP2022/10/08
シャッフルモード