- Home
- Google Associate Cloud Engineer Exam
- Google.Associate-Cloud-Engineer.v2024-06-13.q115
- Question 20
Valid Associate-Cloud-Engineer Dumps shared by ExamDiscuss.com for Helping Passing Associate-Cloud-Engineer Exam! ExamDiscuss.com now offer the newest Associate-Cloud-Engineer exam dumps, the ExamDiscuss.com Associate-Cloud-Engineer exam questions have been updated and answers have been corrected get the newest ExamDiscuss.com Associate-Cloud-Engineer dumps with Test Engine here:
Access Associate-Cloud-Engineer Dumps Premium Version
(328 Q&As Dumps, 35%OFF Special Discount Code: freecram)
<< Prev Question Next Question >>
Question 20/115
Your company is moving its continuous integration and delivery (CI/CD) pipeline to Compute Engine instances. The pipeline will manage the entire cloud infrastructure through code. How can you ensure that the pipeline has appropriate permissions while your system is following security best practices?
Correct Answer: B
* Allow the CI/CD pipeline to request the appropriate secrets during the execution of the pipeline.
Explanation:
The best option is to attach a single service account to the compute instances and add minimal rights to the service account. Then, allow the service account to impersonate a Cloud Identity user with elevated permissions to create, update, or delete resources. This way, the service account can use short-lived access tokens to authenticate to Google Cloud APIs without needing to manage service account keys. This option follows the principle of least privilege and reduces the risk of credential leakage and misuse.
Option A is not recommended because it requires human intervention, which can slow down the CI/CD pipeline and introduce human errors. Option C is not secure because it grants all required IAM permissions to a single service account, which can increase the impact of a compromised key. Option D is not cost-effective because it requires creating and managing multiple service accounts and keys, as well as using a secret manager service.
Reference:
1: https://cloud.google.com/iam/docs/impersonating-service-accounts
2: https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys
3: https://cloud.google.com/iam/docs/understanding-service-accounts
Explanation:
The best option is to attach a single service account to the compute instances and add minimal rights to the service account. Then, allow the service account to impersonate a Cloud Identity user with elevated permissions to create, update, or delete resources. This way, the service account can use short-lived access tokens to authenticate to Google Cloud APIs without needing to manage service account keys. This option follows the principle of least privilege and reduces the risk of credential leakage and misuse.
Option A is not recommended because it requires human intervention, which can slow down the CI/CD pipeline and introduce human errors. Option C is not secure because it grants all required IAM permissions to a single service account, which can increase the impact of a compromised key. Option D is not cost-effective because it requires creating and managing multiple service accounts and keys, as well as using a secret manager service.
Reference:
1: https://cloud.google.com/iam/docs/impersonating-service-accounts
2: https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys
3: https://cloud.google.com/iam/docs/understanding-service-accounts
- Question List (115q)
- Question 1: You are managing a project for the Business Intelligence (BI...
- Question 2: You have an application that runs on Compute Engine VM insta...
- Question 3: You recently received a new Google Cloud project with an att...
- Question 4: Your company has an existing GCP organization with hundreds ...
- Question 5: You need to add a group of new users to Cloud Identity. Some...
- Question 6: You need to run an important query in BigQuery but expect it...
- Question 7: You are using Container Registry to centrally store your com...
- Question 8: You are hosting an application from Compute Engine virtual m...
- Question 9: You have been asked to create robust Virtual Private Network...
- Question 10: You are building an application that will run in your data c...
- Question 11: You are building an application that stores relational data ...
- Question 12: You are planning to migrate the following on-premises data m...
- Question 13: You have production and test workloads that you want to depl...
- Question 14: You are building an application that processes data files up...
- Question 15: You need to assign a Cloud Identity and Access Management (C...
- Question 16: Your web application has been running successfully on Cloud ...
- Question 17: You are configuring service accounts for an application that...
- Question 18: You have a Bigtable instance that consists of three nodes th...
- Question 19: Your organization has user identities in Active Directory. Y...
- Question 20: Your company is moving its continuous integration and delive...
- Question 21: You have one project called proj-sa where you manage all you...
- Question 22: You want to add a new auditor to a Google Cloud Platform pro...
- Question 23: An employee was terminated, but their access to Google Cloud...
- Question 24: You have an application that uses Cloud Spanner as a databas...
- Question 25: Your company is moving its entire workload to Compute Engine...
- Question 26: You have an on-premises data analytics set of binaries that ...
- Question 27: You need to manage a Cloud Spanner Instance for best query p...
- Question 28: You are working for a startup that was officially registered...
- Question 29: You created a Google Cloud Platform project with an App Engi...
- Question 30: You are managing several Google Cloud Platform (GCP) project...
- Question 31: You have a batch workload that runs every night and uses a l...
- Question 32: You are migrating a production-critical on-premises applicat...
- Question 33: You need to enable traffic between multiple groups of Comput...
- Question 34: Your learn wants to deploy a specific content management sys...
- Question 35: You want to configure 10 Compute Engine instances for availa...
- Question 36: You have deployed an application on a single Compute Engine ...
- Question 37: You have deployed multiple Linux instances on Compute Engine...
- Question 38: Your company has a large quantity of unstructured data in di...
- Question 39: You have a development project with appropriate IAM roles de...
- Question 40: You need to provide a cost estimate for a Kubernetes cluster...
- Question 41: You want to deploy an application on Cloud Run that processe...
- Question 42: You host a static website on Cloud Storage. Recently, you be...
- Question 43: You are working with a Cloud SQL MySQL database at your comp...
- Question 44: You need to set up permissions for a set of Compute Engine i...
- Question 45: You are developing a new web application that will be deploy...
- Question 46: You are building a new version of an application hosted in a...
- Question 47: The storage costs for your application logs have far exceede...
- Question 48: You created a Kubernetes deployment by running kubectl run n...
- Question 49: A company wants to build an application that stores images i...
- Question 50: You are using Deployment Manager to create a Google Kubernet...
- Question 51: You have one GCP account running in your default region and ...
- Question 52: Your managed instance group raised an alert stating that new...
- Question 53: Your application development team has created Docker images ...
- Question 54: Your company's infrastructure is on-premises, but all machin...
- Question 55: You deployed an LDAP server on Compute Engine that is reacha...
- Question 56: You want to verify the IAM users and roles assigned within a...
- Question 57: You have an application that looks for its licensing server ...
- Question 58: Your company wants to migrate their on-premises workloads to...
- Question 59: Your company has a single sign-on (SSO) identity provider th...
- Question 60: You built an application on your development laptop that use...
- Question 61: You want to set up a Google Kubernetes Engine cluster Verifi...
- Question 62: You have a number of compute instances belonging to an unman...
- Question 63: During a recent audit of your existing Google Cloud resource...
- Question 64: You are analyzing Google Cloud Platform service costs from t...
- Question 65: You have a website hosted on App Engine standard environment...
- Question 66: You are building a multi-player gaming application that will...
- Question 67: Your company has workloads running on Compute Engine and on-...
- Question 68: Your customer wants you to create a secure website with auto...
- Question 69: Your team maintains the infrastructure for your organization...
- Question 70: You need to update a deployment in Deployment Manager withou...
- Question 71: You have been asked to set up the billing configuration for ...
- Question 72: You need to configure IAM access audit logging in BigQuery f...
- Question 73: Your company is using Google Workspace to manage employee ac...
- Question 74: An application generates daily reports in a Compute Engine v...
- Question 75: You are setting up a Windows VM on Compute Engine and want t...
- Question 76: You are designing an application that uses WebSockets and HT...
- Question 77: You have files in a Cloud Storage bucket that you need to sh...
- Question 78: You have an instance group that you want to load balance. Yo...
- Question 79: You need to select and configure compute resources for a set...
- Question 80: You have deployed an application on a Compute Engine instanc...
- Question 81: You deployed an application on a managed instance group in C...
- Question 82: You used the gcloud container clusters command to create two...
- Question 83: You have an application running in Google Kubernetes Engine ...
- Question 84: You manage an App Engine Service that aggregates and visuali...
- Question 85: You want to send and consume Cloud Pub/Sub messages from you...
- Question 86: Your company implemented BigQuery as an enterprise data ware...
- Question 87: You need to create an autoscaling managed instance group for...
- Question 88: You have downloaded and installed the gcloud command line in...
- Question 89: Your company's security vulnerability management policy wont...
- Question 90: Your finance team wants to view the billing report for your ...
- Question 91: Your company developed a mobile game that is deployed on Goo...
- Question 92: You have 32 GB of data in a single file that you need to upl...
- Question 93: Every employee of your company has a Google account. Your op...
- Question 94: You are the team lead of a group of 10 developers. You provi...
- Question 95: You need to produce a list of the enabled Google Cloud Platf...
- Question 96: You are the project owner of a GCP project and want to deleg...
- Question 97: Your organization uses G Suite for communication and collabo...
- Question 98: You are migrating a business critical application from your ...
- Question 99: Your coworker has helped you set up several configurations f...
- Question 100: You are working for a hospital that stores Its medical image...
- Question 101: Your Dataproc cluster runs in a single Virtual Private Cloud...
- Question 102: You are assisting a new Google Cloud user who just installed...
- Question 103: You have a Dockerfile that you need to deploy on Kubernetes ...
- Question 104: You need to immediately change the storage class of an exist...
- Question 105: You have sensitive data stored in three Cloud Storage bucket...
- Question 106: You are running a web application on Cloud Run for a few hun...
- Question 107: You have a workload running on Compute Engine that is critic...
- Question 108: You are assigned to maintain a Google Kubernetes Engine (GKE...
- Question 109: The core business of your company is to rent out constructio...
- Question 110: You are managing a Data Warehouse on BigQuery. An external a...
- Question 111: You are building a pipeline to process time-series dat a. Wh...
- Question 112: You create a new Google Kubernetes Engine (GKE) cluster and ...
- Question 113: You have developed an application that consists of multiple ...
- Question 114: You significantly changed a complex Deployment Manager templ...
- Question 115: You are working in a team that has developed a new applicati...
[×]
Download PDF File
Enter your email address to download Google.Associate-Cloud-Engineer.v2024-06-13.q115.pdf