Answer-first summary for fast verification
Answer: Enforce an organizational policy that sets a 24-hour limit on the lifespan of service account keys and prevents the creation of service account keys, with an exception for 'pj-sa'.
Option B is correct because it directly addresses the requirement for service account keys to expire after one day by enforcing an organizational policy constraint. It also ensures that service account keys can only be created in the 'pj-sa' project, centralizing their management. Options A and C suggest periodic rotation of keys but do not enforce the one-day validity requirement. Option D would prevent the use of service account keys altogether, which contradicts the requirement for short-lived keys.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Following a third-party security audit of your Cloud practices, it was noted that developers in your company use multiple service account keys during development. You need a quick, cost-effective solution to limit the lifetime of service account credentials with the following requirements:
A
Implement a Kubernetes CronJob to periodically rotate service account keys and prevent the association of service accounts with resources across all projects, except for 'pj-sa'.
B
Enforce an organizational policy that sets a 24-hour limit on the lifespan of service account keys and prevents the creation of service account keys, with an exception for 'pj-sa'.
C
Set up a recurring Cloud Run task to automatically rotate service account keys at specified intervals for 'pj-sa' and establish an organizational policy to prohibit general service account key creation, making an exception for 'pj-sa'.
D
Apply an organizational policy constraint that restricts the duration of service account keys to 24 hours and blocks the linkage of service accounts to resources across all projects, except for 'pj-sa'.