Exam Professional Cloud Security Engineer topic 1 question 187 discussion

Normally you would just choose (D) to not break the business continuity. But in this case, when short-lived credentials are created you need to disable/delete service account (disabling service account key doesn't revoke short-lived credentials) https://cloud.google.com/iam/docs/keys-disable-enable#disabling

Important: Disabling a service account key does not revoke short-lived credentials that were issued based on the key. To revoke a compromised short-lived credential, you must disable or delete the service account that the credential represents. If you do so, any workload that uses the service account will immediately lose access to your resources. https://cloud.google.com/iam/docs/keys-disable-enable#disabling

https://cloud.google.com/iam/docs/keys-disable-enable#disabling Disabling a service account key does not revoke short-lived credentials that were issued based on the key. To revoke a compromised short-lived credential, you must disable or delete the service account that the credential represents.

B. Update the perimeter with egressTo and set identityType to ANY_IDENTITY What it does: Updates the service perimeter to allow egress (outbound) traffic from the perimeter to the external Google Cloud project. egressTo specifies the allowed external resource (e.g., the external project with the disk image). identityType: ANY_IDENTITY allows any identity within the perimeter to make the request. Why it's correct: This is the correct way to allow resources in the perimeter to read from the external project while maintaining VPC Service Controls restrictions. Highly suitable, as it enables access to the third-party disk image while adhering to VPC Service Controls.

As per https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#code-repositories

Disabling the compromised service account key immediately prevents any further unauthorized access

A. Delete the compromised service account

The best answer is B. Disable the compromised service account key. Disabling the compromised service account key will immediately revoke access to all resources that are using the key. This will prevent any further unauthorized access to your cloud environment. A. Delete the compromised service account. Deleting the compromised service account will also revoke access to all resources that are using the account. However, this will also delete all of the data associated with the account. This may not be an option if you need to preserve the data.

A. Delete the compromised service account: Deleting the service account will immediately revoke its access, but it may also break systems or services that depend on this service account. This is usually a last-resort measure and could be disruptive to services using the account legitimately.

To revoke short-lived credentials service account, need to be deleted.

I choose option A. Disabling a service account key does not revoke short-lived credentials that were issued based on the key. To revoke a compromised short-lived credential, must delete the service account that the credential represents. If you do so, any workload that uses the service account will immediately lose access to your resources.

A- is correct. https://cloud.google.com/iam/docs/keys-disable-enable#:~:text=Important%3A%20Disabling%20a%20service%20account,account%20that%20the%20credential%20represents.

Why not B?