GCP Professional Cloud Security Engineer Practice Question
A compliance review discovers that an AWS Lambda function keeps a long-lived JSON key for the [email protected] account in AWS Secrets Manager. The key lets the function upload CSV files to a single Cloud Storage bucket in the production project. Security mandates removal of any stored keys, use of short-lived credentials, and adherence to the principle of least privilege. Which solution best satisfies all requirements while minimally refactoring the Lambda code?
Enable HMAC access for Cloud Storage, create an access key pair for the existing service account, store the keys in AWS Secrets Manager, and restrict uploads with object-level ACLs.
Create a workload identity pool with an AWS provider that trusts a designated IAM role used by the Lambda function. Map the role to a new service account that has only the Storage Object Creator role on the required bucket, then update the function to request federated tokens at runtime.
Generate a new user-managed service account key with a 24-hour rotation schedule in AWS Secrets Manager and update the Lambda environment variables to reference the rotating secret.
Establish VPC peering between AWS and Google Cloud and deploy a Compute Engine proxy VM with the existing service account attached; configure the Lambda function to SCP files through the proxy to the bucket.
Workload Identity Federation allows external workloads such as an AWS Lambda function to exchange their native cloud credentials for short-lived Google Cloud access tokens, eliminating the need to store a user-managed service account key. By creating a workload identity pool and an AWS provider that trusts a specific IAM role, you can map that role to a dedicated Google Cloud service account. Granting the service account the Storage Object Creator role on only the target bucket enforces least privilege. When the Lambda function assumes the trusted AWS role it automatically receives a signed identity token, which the Security Token Service exchanges for a temporary access token to impersonate the service account and write objects. The other options either continue to rely on long-lived keys, introduce unnecessary infrastructure, or use HMAC credentials that must still be stored and rotated, so they do not meet the stated security objectives.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
How does the Security Token Service in Google Cloud work?
Open an interactive chat with Bash
What does the principle of least privilege mean in the context of IAM roles?
Open an interactive chat with Bash
What is Workload Identity Federation in Google Cloud?
Open an interactive chat with Bash
How does the principle of least privilege apply in this scenario?
Open an interactive chat with Bash
What is the Security Token Service (STS) and its role in federated authentication?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .