Exam Professional Cloud Security Engineer topic 1 question 172 discussion

I think the answer should D. Option B gives them "Always On" permissions but the question asks for "Just in time" permissions. So, this is possible only with a Service Account. Once the incident response team resolves the issue, the service account key can be disabled.

D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team. This option allows you to create a service account with limited access rights (list/view), and the DevOps team will be able to use this service account only when needed. This is consistent with the principle of least privilege and incident-only access.

D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team. This option allows you to create a service account with limited access rights (list/view), and the DevOps team will be able to use this service account only when needed. This is consistent with the principle of least privilege and incident-only access.

D. This approach allows the creation of a service account with specific limited permissions necessary for investigating deployment issues. The DevOps team can then be granted the Service Account User role on this service account. This setup ensures that the DevOps team can use the service account with appropriate permissions only when needed, fulfilling both requirements of least-privilege access and temporary access

Its (D) according https://cloud.google.com/iam/docs/best-practices-service-accounts "Some applications only require access to certain resources at specific times or under specific circumstances....In such scenarios, using a single service account and granting it access to all resources goes against the principle of least privilege"

D. -Least Privilege: By creating a service account with restricted permissions (limited list/view access to specific resources), you adhere to the principle of least privilege. The DevOps team can only access the information needed for investigation without broader project-level control. -Temporary Access: Service accounts are not tied to individual users. Once the investigation is complete, you can simply revoke access to the service account from the DevOps team, effectively removing their access to the resources. This ensures temporary access for the specific incident.

Answer is B, it sets least-privilege access.

Any DevOps Engineer knows verywell, it is D

B or D, I prefer B because of traceability, impersonating an account is harder to audit in relation to using personal account.

I go with D, While B seems to allows defining specific permissions, it adds complexity to the access control strategy and might still grant more access than necessary.

B follows the google best practices

Answer should be B

The real answer shouldn be 'breakglass' tool.

Between B and D, I choose D Because option B Granting IAM roles to the DevOps team directly would give them ongoing, not temporary, access.

I go with B, if we consider D we need to assume too many things and B is simple custom role with JIT condition can address all the issues.

B is more relvant

B is right answer.