PROFESSIONAL-CLOUD-SECURITY-ENGINEER Question #30: Real Exam Question with Answer & Explanation

Question

A Cloud Development team needs to use service accounts extensively in their local development. You need to provide the team with the keys for these service accounts. You want to follow Google-recommended practices. What should you do?

Options

• AImplement a daily key rotation process that generates a new key and commits it to the source
• BImplement a daily key rotation process, and provide developers with a Cloud Storage bucket from
• CCreate a Google Group with all developers. Assign the group the IAM role of Service Account
• DCreate a Google Group with all developers. Assign the group the IAM role of Service Account

Explanation

Google's best practice for service account keys is to rotate them frequently (daily rotation minimizes the window of exposure for a compromised key) and to distribute them through a secure channel. Storing the rotated key in a Cloud Storage bucket with appropriately restricted IAM permissions allows developers to retrieve the latest key without it ever touching source control. Option A is wrong because committing secrets to source code repositories is a critical security anti-pattern - keys in source code are easily leaked. Options C and D describe the Service Account Token Creator role, which allows generating short-lived tokens and is an even better practice when possible, but those options do not actually provide the service account keys the question requires.

No community discussion yet for this question.