GCP Professional Cloud Security Engineer Practice Question
Your company has 9,000 employees who authenticate to Google Cloud through an on-premises SAML 2.0 identity provider that already enforces multifactor authentication (MFA). In addition, the security team maintains two non-federated "break-glass" super administrator accounts that must never rely on the on-premises IdP. Compliance now requires that all super administrators use only FIDO2 security keys as a second factor, while ordinary users must continue to authenticate via the existing IdP workflow without being challenged twice for MFA. What should you do to meet these requirements with the least disruption?
Generate app passwords for the break-glass accounts, store them in Secret Manager, and configure an Access Transparency alert whenever they are used.
Place the two break-glass super admin accounts in their own organizational unit and enable the Enforce 2-Step Verification policy for that OU, allowing only FIDO2 security keys; keep SAML SSO unchanged for all other users.
Disable SAML SSO for the entire domain and turn on mandatory 2-Step Verification with security keys at the organization level so every user must register a key at next sign-in.
Create a context-aware access level that requires an MFA assertion and apply it to all Google Cloud services; leave 2-Step Verification optional in Google Workspace.
The break-glass super administrator accounts should be isolated from the rest of the workforce and forced to use Google-managed 2-Step Verification (2SV) with FIDO2 security keys. Because the bulk of users are federated, Google Workspace 2SV policies do not affect them-Google redirects them to the SAML IdP, which already requires MFA, so they are not prompted a second time. Moving only the two non-federated accounts into a separate organizational unit or group and applying an "Only security keys" 2SV enforcement policy to that subset meets the compliance mandate without altering the SSO experience for other users. The alternative choices either disrupt all users by disabling SSO, fail to guarantee that only security keys are used, or rely on less secure app passwords that do not provide MFA.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SAML 2.0 and how does it work in identity management?
Open an interactive chat with Bash
What is FIDO2 and why is it considered secure for multi-factor authentication?
Open an interactive chat with Bash
Why is enforcing 2-Step Verification (2SV) policies for super administrator accounts critical?
Open an interactive chat with Bash
What is an organizational unit (OU) in Google Workspace?
Open an interactive chat with Bash
What is FIDO2 and why is it required for security keys?
Open an interactive chat with Bash
How does SAML SSO work, and why is it unchanged for regular users?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .