GCP Professional Cloud Security Engineer Practice Question
Your company uses Cloud Identity with mandatory SAML-based single sign-on (SSO) to an external identity provider (IdP). All existing Google Cloud "Super Administrator" accounts are federated through that IdP. Security leadership is concerned that a prolonged IdP outage would leave the company unable to administer Google Cloud. At the same time, they want to reduce the risk of account takeover for day-to-day Super Administrator logins. Which approach best satisfies both objectives while following Google-recommended practices?
Create two additional Cloud Identity-native Super Administrator accounts excluded from SSO, protect them with hardware security-key 2-Step Verification, and store their credentials in a secure offline location for emergency use only.
Grant the Super Administrator role to a service account, download its private key, and distribute the key to on-call engineers for use if the IdP is unreachable.
Configure an IAM Deny policy that exempts principals holding the Super Administrator role from any authentication failures caused by IdP outages.
Disable SAML SSO for the entire domain so Super Administrators can always sign in with Google passwords protected only by CAPTCHA challenges.
Google recommends having at least one "break-glass" or emergency Super Administrator account that does not depend on the external IdP. Creating one or two native (non-federated) Super Administrator accounts whose strong, randomly generated passwords and hardware-based 2-Step Verification factors are stored securely offline ensures administrative access even if the IdP is unavailable. Regular Super Administrators continue to authenticate with SSO, protected by hardware security keys. Granting a service account Super Administrator privileges and sharing a JSON key is risky because keys are long-lived, hard to revoke, and violate least-privilege principles. Disabling SSO for everyone weakens security and does not meet the "minimize risk" requirement. IAM Deny policies cannot guarantee access during IdP outages and cannot override authentication failures, so they do not address the stated problem.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SAML-based SSO and how does it work with external IdPs?
Open an interactive chat with Bash
Why are emergency 'break-glass' Super Administrator accounts important?
Open an interactive chat with Bash
What are hardware security keys used for in 2-Step Verification?
Open an interactive chat with Bash
What is SAML-based SSO and how does it work?
Open an interactive chat with Bash
What are 'break-glass' accounts and why are they important?
Open an interactive chat with Bash
Why is hardware-based 2-Step Verification recommended for Super Administrator accounts?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .