GCP Professional Cloud Security Engineer Practice Question

Your organization uses an infrastructure-as-code pipeline to spin up new Google Cloud projects and VM instances for internal development teams. Security has discovered that many Compute Engine VMs still run with the Compute Engine default service account, which in each new project is automatically granted the Project Editor role. Compliance now requires:

No new project may automatically grant broad roles (such as Editor) to its default service account or allow VMs to run with that account unless engineers explicitly choose to do so.
Existing applications that already depend on the default service account must keep working until they are migrated to least-privilege, so the account itself must remain active.
Any future creation of user-managed keys for the default service accounts must be detected immediately and routed to the security operations Pub/Sub topic for investigation.

Which solution meets all of these requirements with the least operational disruption?

Disable the Compute Engine default service account at the organization level, force each project to create a new service account, and rely on Cloud Asset Inventory exports to detect any user-managed key creation via daily batch reports.
Remove the Editor role from each default service account, create an IAM Deny policy blocking iam.serviceAccounts.actAs on that account, and enable the constraints/iam.disableServiceAccountKeyUpload policy to satisfy the detection requirement.
Enable the constraints/iam.automaticIamGrantsForDefaultServiceAccounts Organization Policy, update the Terraform module to set a specific service account or no-service-account on new instances, and create an organization-level log sink that exports ServiceAccountKeyOperations.Create audit logs to a Pub/Sub topic subscribed to by the security team.
Delete the default service account in every existing project, enable the constraints/iam.disableServiceAccountCreation policy, and configure Access Transparency to notify the security team when new service account keys are created.

Report Issue

Answer Description

Enforcing the Organization Policy constraint constraints/iam.automaticIamGrantsForDefaultServiceAccounts stops Google Cloud from automatically giving the Compute Engine default service account the Project Editor role in any new project, but it does not delete or disable existing accounts-so running workloads continue to function. VM instance templates that omit a serviceAccount field inherit the project's default service account; adding an explicit, least-privileged service account (or setting no-service-account) in the Terraform module prevents new VMs from unintentionally using the default account without changing its current permissions. Finally, creating an aggregated log sink that filters on the google.iam.admin.googleapis.com/ServiceAccountKeyOperations.Create method and exports the entries to a Pub/Sub topic ensures the security team is alerted any time a user-managed key is generated for any service account, including the default one. This combination satisfies all three requirements with minimal impact. The other options either break existing workloads (by disabling or deleting the default account), fail to prevent future broad role grants, or do not provide real-time detection of key creation.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.