Topic 1 Question 205
2 つ選択You are running applications outside Google Cloud that need access to Google Cloud resources. You are using workload identity federation to grant external identities Identity and Access Management (IAM) roles to eliminate the maintenance and security burden associated with service account keys. You must protect against attempts to spoof another user's identity and gain unauthorized access to Google Cloud resources.
What should you do?
Enable data access logs for IAM APIs.
Limit the number of external identities that can impersonate a service account.
Use a dedicated project to manage workload identity pools and providers.
Use immutable attributes in attribute mappings.
Limit the resources that a service account can access.
ユーザの投票
コメント(5)
- 正解だと思う選択肢: CD
Best practices for protecting against spoofing threats:
Use a dedicated project to manage workload identity pools and providers. Use organizational policy constraints to disable the creation of workload identity pool providers in other projects. Use a single provider per workload identity pool to avoid subject collisions. Avoid federating with the same identity provider twice. Protect the OIDC metadata endpoint of your identity provider. Use the URL of the workload identity pool provider as audience. Use immutable attributes in attribute mappings. Use non-reusable attributes in attribute mappings. Don't allow attribute mappings to be modified. Don't rely on attributes that aren't stable or authoritative.
Therefore, Option C and D are correct
👍 3Xoxoo2023/09/18 - 正解だと思う選択肢: CD👍 2pfilourenco2023/08/04
- 正解だと思う選択肢: CD👍 1alkaloid2023/08/04
シャッフルモード