Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Associate Cloud Engineer All Questions

View all questions & answers for the Associate Cloud Engineer exam
Go to Exam

Exam Associate Cloud Engineer topic 1 question 247 discussion

Actual exam question from Google's Associate Cloud Engineer
Question #: 247
Topic #: 1
[All Associate Cloud Engineer Questions]

Your company is moving its continuous integration and delivery (CI/CD) pipeline to Compute Engine instances. The pipeline will manage the entire cloud infrastructure through code. How can you ensure that the pipeline has appropriate permissions while your system is following security best practices?

  • A. • Attach a single service account to the compute instances.
    • Add minimal rights to the service account.
    • Allow the service account to impersonate a Cloud Identity user with elevated permissions to create, update, or delete resources.
  • B. • Add a step for human approval to the CI/CD pipeline before the execution of the infrastructure provisioning.
    • Use the human approvals IAM account for the provisioning.
  • C. • Attach a single service account to the compute instances.
    • Add all required Identity and Access Management (IAM) permissions to this service account to create, update, or delete resources.
  • D. • Create multiple service accounts, one for each pipeline with the appropriate minimal Identity and Access Management (IAM) permissions.
    • Use a secret manager service to store the key files of the service accounts.
    • Allow the CI/CD pipeline to request the appropriate secrets during the execution of the pipeline.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by KelvinToo at Dec. 31, 2023, 6:54 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
iooj
2 months, 1 week ago
It seems, you all just use chat gpt to get the answer. But did you even notice it says one they need to move only one pipeline?
upvoted 1 times
iooj
2 months, 1 week ago
By the way, chat gpt o1-preview says: that A is the answer Principle of Least Privilege: By assigning minimal rights to the service account, you limit access to only what's necessary for regular operations. Impersonation for Elevated Actions: Allowing the service account to impersonate a Cloud Identity user with elevated permissions ensures that higher-level permissions are used only when needed and are tightly controlled. Security Best Practices: This approach avoids the use of long-lived credentials or storing service account keys, reducing potential security risks.
upvoted 2 times
...
...
PiperMe
8 months, 3 weeks ago
Selected Answer: D
Option D combines the principle of least privilege with granular permissions, secure credential management, and controlled access during pipeline execution.
upvoted 3 times
...
guru_ji
9 months, 2 weeks ago
Selected Answer: D
Options A and C both involve attaching a single service account to the compute instances, which goes against the principle of least privilege and increases the risk if that single account is compromised. Option B introduces human approval into the CI/CD pipeline, which could slow down the deployment process and might not be feasible for fully automated deployments. Therefore, option D is the most suitable choice for ensuring both security and efficiency in the CI/CD pipeline setup.
upvoted 3 times
...
Cynthia2023
10 months, 3 weeks ago
Selected Answer: D
Principle of Least Privilege: Creating separate service accounts for different aspects of your CI/CD pipeline allows you to adhere to the principle of least privilege. This means each service account is granted only the permissions necessary for its specific role in the pipeline. Security and Organization: Using multiple service accounts makes it easier to manage permissions, track activities, and audit usage for specific tasks or components of your CI/CD process. Secret Management: Storing the service account key files in a secret manager service (like Google Cloud Secret Manager) enhances security. This approach securely manages and accesses these keys, reducing the risk of unauthorized access or exposure. Dynamic Access: Allowing the CI/CD pipeline to request the appropriate secrets during execution ensures that credentials are provided only when needed and aren't unnecessarily exposed or stored in less secure environments.
upvoted 2 times
Cynthia2023
10 months, 3 weeks ago
A. Single Service Account with Impersonation: While using a single service account with minimal rights and impersonation can work, it introduces complexity and might not offer the same level of granularity and security as multiple service accounts. Impersonation also adds an additional layer that needs to be securely managed.
upvoted 2 times
...
...
KelvinToo
11 months ago
Selected Answer: D
ChatGPT says Option D, By following this approach, you can ensure that your CI/CD pipeline has appropriate permissions while adhering to security best practices, including the principle of least privilege and secure management of credentials.
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel