Exam Professional Cloud Security Engineer topic 1 question 254 discussion

Why Option C: Short-Lived Credentials: Workload Identity Federation allows you to use short-lived credentials, which are more secure than long-lived service account keys. Cross-Cloud Compatibility: By creating a workload identity pool and providers for each external cloud, you can securely authenticate and authorize applications running in different cloud environments. IAM Binding for Impersonation: This setup allows you to grant specific permissions to the service account, ensuring that only authorized actions are performed.

For applications running in multiple clouds that need access to Google Cloud resources, the Workload Identity Federation feature is the most secure and scalable solution. It allows you to grant external workloads access to Google Cloud resources using short-lived credentials, eliminating the need to manage long-lived service account keys. Workload Identity Pool: Create a pool to represent identities from external clouds. Workload Identity Provider: Set up a provider for each external cloud to validate identities from those environments. Short-Lived Credentials: Use Google’s Security Token Service (STS) to exchange tokens from external identity providers for short-lived Google Cloud credentials. Service Account Impersonation: Set up a Google Cloud service account with the required permissions. Add an IAM binding to allow the external identity to impersonate the service account.

It"s C

It's C

C is the correct answer

Correct Answer: C Short-lived access credentials: Workload Identity Federation (WIF) allows you to issue short-lived access tokens to external applications, reducing the risk of credential theft and misuse. Multiple clouds: You can create a workload identity pool for each external cloud, allowing applications from different environments to access your Google Cloud resources securely. Centralized management: WIF provides a centralized way to manage access to your Google Cloud resources, simplifying administration and improving security. Impersonation: By setting up a service account and adding an IAM binding for impersonation, you can allow external applications to act as the service account, granting them the necessary permissions to access your Google Cloud resources.

I think it's A.