You are running applications outside Google Cloud that need access to Google Cloud resources. You are using workload identity federation to grant external identities Identity and Access Management (IAM) roles to eliminate the maintenance and security burden associated with service account keys. You must protect against attempts to spoof another user’s identity and gain unauthorized access to Google Cloud resources. What should you do? (Choose two.)
A. Enable data access logs for IAM APIs.
B. Limit the number of external identities that can impersonate a service account.
C. Use a dedicated project to manage workload identity pools and providers.
D. Use immutable attributes in attribute mappings.
E. Limit the resources that a service account can access.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
C, D
Explanation
Best practices for protecting against spoofing threats:
Use a dedicated project to manage workload identity pools and providers.
Use organizational policy constraints to disable the creation of workload identity pool providers in other projects.
Use a single provider per workload identity pool to avoid subject collisions.
Avoid federating with the same identity provider twice.
Protect the OIDC metadata endpoint of your identity provider.
Use the URL of the workload identity pool provider as audience.
Use immutable attributes in attribute mappings.
Use non-reusable attributes in attribute mappings.
Don’t allow attribute mappings to be modified.
Don’t rely on attributes that aren’t stable or authoritative.
https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#protecting_against_spoofing_threats
A. Enable data access logs for IAM APIs.
(It will not protect against spoofing attempts.)
B. Limit the number of external identities that can impersonate a service account.
(Still it will not protect against spoofing attempts.)
C. Use a dedicated project to manage workload identity pools and providers.
D. Use immutable attributes in attribute mappings.
E. Limit the resources that a service account can access.
(Still it will not protect against spoofing attempts.)