GCP Professional Cloud Security Engineer Practice Question

Your organization migrated to Cloud Identity and currently has four staff members who perform daily administration using Super Administrator privileges. A recent internal risk assessment highlights that this practice violates least-privilege principles and exposes the company if any of those credentials are phished. Security wants to (1) restrict routine use of Super Administrator power, (2) guarantee emergency recovery if the primary IdP or MFA service is unavailable, and (3) keep an auditable trail with minimal day-to-day overhead. Which strategy best satisfies all three goals?

Create two dedicated break-glass Super Administrator accounts that are excluded from SSO and 2-Step Verification, secured with long random passwords stored in an offline safe; assign the four staff members delegated admin roles matching their job duties and monitor any logins to the break-glass accounts.
Enable Privileged Access Manager so the four staff members request time-bound elevation to the Super Administrator role whenever needed, and disable all standing Super Administrator accounts.
Rotate the passwords of all four Super Administrator accounts monthly, require phone-based 2-Step Verification, and configure an automated rule that unlocks a fifth Super Administrator account if no admin logs in for 48 hours.
Keep one existing Super Administrator account for everyday work and enforce FIDO2 security-key MFA on it; demote the other three to Help Desk Admin and rely on Access Context Manager to restrict their logins to corporate IP ranges.

Report Issue

Answer Description

Limiting exposure means removing standing Super Administrator privileges from day-to-day identities and granting them only the narrow administrative roles required for routine tasks. Google recommends maintaining at least one (preferably two) emergency or "break-glass" Super Administrator accounts that are not subject to SSO or MFA enforcement, use strong randomly generated passwords stored offline, and are monitored for any sign-in activity. This arrangement ensures recovery even if the primary IdP or MFA infrastructure is unavailable, satisfies least-privilege by removing broad rights from everyday accounts, and keeps audit logs for the seldom-used break-glass logins. The other options either keep routine Super Administrator use, depend on the availability of MFA/IdP for recovery, or rely on features (like automatic unlocking) that do not provide controlled, auditable emergency access.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.