Answer-first summary for fast verification
Answer: Use a dedicated project to manage workload identity pools and providers., Use immutable attributes in attribute mappings.
The question focuses on protecting against identity spoofing threats in Workload Identity Federation. According to Google's official best practices documentation (referenced multiple times in the community discussion), the recommended measures specifically for spoofing protection include using a dedicated project to manage workload identity pools and providers (Option C) and using immutable attributes in attribute mappings (Option D). Option C helps centralize management and control, while Option D prevents attackers from modifying identity attributes to impersonate others. Option A (IAM API logs) is for auditing, not direct spoofing prevention. Option B (limit external identities) is not a documented best practice for spoofing protection. Option E (limit service account resources) applies to general security through least privilege but is not specifically highlighted for spoofing threats in the referenced documentation. The community consensus strongly supports CD with 100% agreement and references to official Google documentation.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You are running applications outside of Google Cloud that need to access Google Cloud resources. You are using Workload Identity Federation to grant external identities IAM roles, avoiding the maintenance and security burden of service account keys. You must protect against identity spoofing and unauthorized access.
What should you do? (Choose two.)
A
Enable data access logs for IAM APIs.
B
Limit the number of external identities that can impersonate a service account.
C
Use a dedicated project to manage workload identity pools and providers.
D
Use immutable attributes in attribute mappings.
E
Limit the resources that a service account can access.