ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A company hosts its production environment in a public cloud. The DevOps team uses the provider's managed CI/CD build service to deploy new application versions. Security policy demands that the pipeline obtain only the minimum privileges required at run time and that no long-term credentials be stored in the build configuration. Which identity and access control approach BEST meets these requirements?
Install pre-generated SSH key pairs on all production virtual machines and reference them from the pipeline script.
Enable the build service to assume a short-lived role in the production account by using the provider's Security Token Service (STS).
Store a service account's long-lived access keys as encrypted variables in the pipeline and grant it administrator privileges.
Provide the cloud root account credentials to the build job only during deployment windows.
The principle of least privilege and avoidance of long-term credentials are achieved by configuring the build service to assume a dedicated IAM role in the production account through the cloud provider's Security Token Service (STS). When the pipeline starts, STS issues short-lived, automatically expiring credentials that grant only the permissions defined in the role's policy. This eliminates the need to store permanent keys and confines the pipeline to the exact privileges required.
Using hard-coded access keys or root credentials violates least-privilege and creates persistent secret-management risks. Injecting SSH keys into virtual machines solves remote-login needs but does not address authorization to cloud APIs, nor does it remove long-lived credentials from the pipeline. Therefore, leveraging STS to assume a minimally scoped role is the most appropriate solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Security Token Service (STS) in cloud computing?
Open an interactive chat with Bash
What is the principle of least privilege, and why is it important?
Open an interactive chat with Bash
Why are long-term credentials considered a security risk in cloud environments?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Concepts, Architecture and Design
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .