Google Cloud Professional Cloud Security Engineer — Question 311

Your organization has applications that run in multiple clouds. The applications require access to a Google Cloud resource running in your project. You must use short-lived access credentials to maintain security across the clouds. What should you do?

Answer options

• A. Create a managed workload identity. Bind an attested identity to the Compute Engine workload.
• B. Create a service account key. Download the key to each application that requires access to the Google Cloud resource.
• C. Create a workload identity pool with a workload identity provider for each external cloud. Set up a service account and add an IAM binding for impersonation.
• D. Create a VPC firewall rule for ingress traffic with an allowlist of the IP ranges of the external cloud applications.

Correct answer: C

Explanation

The correct answer is C because creating a workload identity pool and provider allows for secure cross-cloud access by utilizing Google Cloud's IAM features to manage identities and permissions. Option A is incorrect as it does not address the need for cross-cloud access. Option B is insecure due to the management of service account keys, which can lead to credential leaks. Option D does not provide the necessary identity management for secure access.