Google Cloud Professional Cloud Security Engineer Practice Exam

Disable ads (and more) with a membership for a one time $4.99 payment

Prepare for the Google Cloud Professional Cloud Security Engineer Exam with our interactive quiz. Study with flashcards and multiple-choice questions, complete with hints and explanations. Ace your exam with confidence!

Practice this question and more.

To minimize credential theft for a CI/CD cluster deployed on Compute Engine, what should be implemented?

Use default service account
Create a custom service account and enable a restriction policy
Regularly rotate service account keys
Disable all service accounts

The correct answer is: Create a custom service account and enable a restriction policy

Using a custom service account and enabling a restriction policy is an effective strategy for minimizing credential theft in a CI/CD cluster deployed on Compute Engine. When you create a custom service account, you can assign it only the permissions that are absolutely necessary for its operation. This principle of least privilege reduces the attack surface, making it more difficult for unauthorized users or services to gain access to sensitive resources. Additionally, by implementing a restriction policy, you can tightly control how the service account is used. This can include specifying which resources the service account can access and under what conditions, further enhancing security. Restriction policies can help prevent misuse of credentials and limit the potential impact of any credentials that might be compromised. In contrast, using the default service account would generally provide broader access than necessary, increasing the risk of credential theft. Regularly rotating service account keys is good practice but does not directly address the fundamental principle of limiting permissions. Lastly, disabling all service accounts would severely restrict the functionality of the CI/CD cluster, rendering it ineffective for deployment tasks.