Google Cloud Associate Cloud Engineer — Question 223

You recently discovered that your developers are using many service account keys during their development process. While you work on a long term improvement, you need to quickly implement a process to enforce short-lived service account credentials in your company. You have the following requirements:

• All service accounts that require a key should be created in a centralized project called pj-sa.
• Service account keys should only be valid for one day.

You need a Google-recommended solution that minimizes cost. What should you do?

Answer options

• A. Implement a Cloud Run job to rotate all service account keys periodically in pj-sa. Enforce an org policy to deny service account key creation with an exception to pj-sa.
• B. Implement a Kubernetes CronJob to rotate all service account keys periodically. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.
• C. Enforce an org policy constraint allowing the lifetime of service account keys to be 24 hours. Enforce an org policy constraint denying service account key creation with an exception on pj-sa.
• D. Enforce a DENY org policy constraint over the lifetime of service account keys for 24 hours. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.

Correct answer: C

Explanation

The correct answer is C because it directly enforces the requirement for service account keys to have a maximum lifetime of 24 hours while also restricting key creation to the centralized project pj-sa. Options A and B involve rotating keys but do not address the key lifetime directly. Option D incorrectly suggests a DENY policy instead of a constraint for key lifetime, which does not align with the requirement.