Google Cloud Professional Cloud Security Engineer — Question 85

You plan to deploy your cloud infrastructure using a CI/CD cluster hosted on Compute Engine. You want to minimize the risk of its credentials being stolen by a third party. What should you do?

Answer options

• A. Create a dedicated Cloud Identity user account for the cluster. Use a strong self-hosted vault solution to store the user's temporary credentials.
• B. Create a dedicated Cloud Identity user account for the cluster. Enable the constraints/iam.disableServiceAccountCreation organization policy at the project level.
• C. Create a custom service account for the cluster. Enable the constraints/iam.disableServiceAccountKeyCreation organization policy at the project level
• D. Create a custom service account for the cluster. Enable the constraints/iam.allowServiceAccountCredentialLifetimeExtension organization policy at the project level.

Correct answer: C

Explanation

The correct answer is C because creating a custom service account and disabling service account key creation helps prevent the risk of credential theft through static keys. Options A and B suggest using user accounts or policies that do not directly address the key management issue, while option D focuses on extending credential lifetime rather than minimizing their exposure.