Answer-first summary for fast verification
Answer: Enable an organization policy to prevent service account keys from being created.
The question asks for the recommended method to prevent developers from creating user-managed service account keys across the entire organization. Option C is the correct answer because Google Cloud's organization policy constraint 'iam.disableServiceAccountKeyCreation' specifically prevents the creation of service account keys at the organization level, which aligns with the requirement to enforce this policy broadly. This is supported by Google's best practices documentation and the community discussion, where C has 100% consensus and upvoted comments reference the official guidance. Option A (Secret Manager) is for managing secrets, not preventing key creation. Option B would disable service account creation entirely, which is overly restrictive and not the requirement. Option D removes a specific permission but doesn't prevent key creation through other means, making it less comprehensive than an organization policy.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your security team wants to mitigate the risk of mismanagement and compromise of user-managed service account keys. You need to enforce a policy that prevents developers from creating these keys for projects across your entire organization. What is the recommended enforcement method?
A
Configure Secret Manager to manage service account keys.
B
Enable an organization policy to disable service accounts from being created.
C
Enable an organization policy to prevent service account keys from being created.
D
Remove the iam.serviceAccounts.getAccessToken permission from users.
No comments yet.