Answer-first summary for fast verification
Answer: Apply the constraints/iam.disableServiceAccountKevCreation constraint to the organization.
To completely eliminate the risks associated with the use of JSON service account keys while minimizing operational overhead, the best approach is to apply the `constraints/iam.disableServiceAccountKeyCreation` constraint to the organization. This constraint prevents the creation of new service account keys, effectively eliminating the risk associated with long-lived credentials. Option A is the correct answer because it directly addresses the requirement by disabling the creation of service account keys across the entire organization. Option B suggests using custom roles to exclude permissions related to service account keys, which does not completely eliminate the risk as it relies on correct role assignments and does not prevent key creation outright. Option C, `constraints/iam.disableServiceAccountKeyUpload`, is not relevant as it pertains to uploading existing keys, not creating new ones. Option D, granting the `roles/iam.serviceAccountKeyAdmin` role to organization administrators only, does not eliminate the risk but rather centralizes it, which does not meet the requirement to completely eliminate the risk.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
How can you design a solution to fully mitigate the risks of using JSON service account keys in a new Google Cloud organization while minimizing operational overhead?
A
Apply the constraints/iam.disableServiceAccountKevCreation constraint to the organization.
B
Use custom versions of predefined roles to exclude all iam.serviceAccountKeys.* service account role permissions.
C
Apply the constraints/iam.disableServiceAccountKeyUpload constraint to the organization.
D
Grant the roles/iam.serviceAccountKeyAdmin IAM role to organization administrators only.
No comments yet.