Google Cloud Professional Cloud Security Engineer — Question 276

Your security team wants to reduce the risk of user-managed keys being mismanaged and compromised. To achieve this, you need to prevent developers from creating user-managed service account keys for projects in their organization. How should you enforce this?

Answer options

• A. Configure Secret Manager to manage service account keys.
• B. Enable an organization policy to disable service accounts from being created.
• C. Enable an organization policy to prevent service account keys from being created.
• D. Remove the iam.serviceAccounts.getAccessToken permission from users.

Correct answer: C

Explanation

The correct answer is C because implementing an organization policy to prevent the creation of service account keys directly addresses the issue of user-managed keys being mismanaged. Option A does not prevent key creation; it only manages them. Option B stops the creation of service accounts altogether, which is broader than necessary. Option D only removes a particular permission but does not restrict key creation.