Answer-first summary for fast verification
Answer: Enforce an org policy constraint allowing the lifetime of service account keys to be 24 hours. Enforce an org policy constraint denying service account key creation with an exception on pj-sa.
The correct answer is C. You can use an organization policy to enforce a 24-hour lifetime for service account keys and also prevent the creation of new service account keys, with an exception for the pj-sa project. This is a Google-recommended solution and it minimizes cost as it leverages existing organization policy constraints without the need to implement additional services like Cloud Run or Kubernetes CronJob.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You have discovered that your developers frequently use numerous service account keys during development. To address this issue and enhance security, you need to enforce the use of short-lived service account credentials as a temporary measure. Here are your specific requirements: • Create all service accounts that require a key in a centralized project named "pj-sa". • Ensure that service account keys are only valid for one day. You need a cost-effective, Google-recommended solution. What should you do?
A
Implement a Cloud Run job to rotate all service account keys periodically in pj-sa. Enforce an org policy to deny service account key creation with an exception to pj-sa.
B
Implement a Kubernetes CronJob to rotate all service account keys periodically. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.
C
Enforce an org policy constraint allowing the lifetime of service account keys to be 24 hours. Enforce an org policy constraint denying service account key creation with an exception on pj-sa.
D
Enforce a DENY org policy constraint over the lifetime of service account keys for 24 hours. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.