GCP Professional Cloud Security Engineer Practice Question
All Compute Engine VMs in a legacy project run under the [email protected] default service account, which currently holds the Editor role on the project. A new security mandate requires that instances be able to only write objects to the gs://backup-logs bucket, that the default service account be disabled once the change is verified safe, and that nightly backup availability not be disrupted. Which sequence of actions meets these requirements?
Create a dedicated service account, grant it the Storage Object Creator role only on gs://backup-logs, stop each VM one at a time, attach the new service account, restart and verify backups, then disable the default compute service account.
Create a new service account with the Project Editor role, generate a user-managed key, copy the key to every VM, reconfigure the backup script to use the key file, then disable the default service account.
Remove the Editor role from the default compute service account, grant it the Storage Object Creator role on the bucket, leave the VMs running, then delete the default service account after backups succeed.
Immediately disable the default compute service account, create a new service account with the Storage Object Admin role, and attach it to each running instance using gcloud without stopping the VMs.
Create a purpose-built service account and grant it the least-privilege roles/storage.objectCreator role only on the gs://backup-logs bucket. Migrate each VM individually by stopping it, attaching the new service account, and restarting and validating backups before moving to the next VM. After every instance is confirmed to back up successfully with the new identity, disable (do not delete) the [email protected] account. This removes excess Editor permissions without interrupting the nightly backup workflow and avoids the risks of distributing user-managed keys or deleting a default service account.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the Storage Object Creator role in Google Cloud?
Open an interactive chat with Bash
Why should the default service account not be deleted but disabled?
Open an interactive chat with Bash
Why is stopping each VM required when attaching a new service account?
Open an interactive chat with Bash
Why is the Storage Object Creator role appropriate for the new service account?
Open an interactive chat with Bash
What happens if you delete the default service account instead of disabling it?
Open an interactive chat with Bash
Why must each VM be stopped before changing the attached service account?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .