Google Cloud Professional Cloud Security Engineer — Question 127

You are running applications outside Google Cloud that need access to Google Cloud resources. You are using workload identity federation to grant external identities Identity and Access Management (IAM) roles to eliminate the maintenance and security burden associated with service account keys. You must protect against attempts to spoof another user's identity and gain unauthorized access to Google Cloud resources.

What should you do? (Choose two.)

Answer options

• A. Enable data access logs for IAM APIs.
• B. Limit the number of external identities that can impersonate a service account.
• C. Use a dedicated project to manage workload identity pools and providers.
• D. Use immutable attributes in attribute mappings.
• E. Limit the resources that a service account can access.

Correct answer: C, D

Explanation

The correct actions are C and D because using a dedicated project for workload identity pools and providers (C) helps isolate and manage identities effectively, while employing immutable attributes in attribute mappings (D) enhances security by ensuring that attributes cannot be altered during the authentication process. Options A, B, and E do not directly address the specific need to prevent identity spoofing in the context of workload identity federation.