A security engineer needs to prevent users from creating service account keys in a Google Cloud project. The solution must be enforceable across all projects in the organization and should not block other IAM operations. Which approach should they use?
Trap 1: Use IAM Conditions to restrict service account key creation to only…
IAM Conditions apply to role bindings, not to prevent creation globally. They cannot block key creation across all projects in an organization without complex per-project configuration.
Trap 2: Create a custom role that excludes the permission…
Custom roles cannot be enforced across all users; users with other roles (like Owner) would still have the permission. Also, this does not prevent creation of keys via service accounts themselves.
Trap 3: Create an IAM deny policy at the organization level to deny the…
While an IAM deny policy could block the permission, Organization Policy is the recommended approach for such resource-level constraints, and the built-in constraint is simpler and more straightforward.
- A
Use IAM Conditions to restrict service account key creation to only a specific project.
Why wrong: IAM Conditions apply to role bindings, not to prevent creation globally. They cannot block key creation across all projects in an organization without complex per-project configuration.
- B
Create a custom role that excludes the permission iam.serviceAccountKeys.create and assign it to all users.
Why wrong: Custom roles cannot be enforced across all users; users with other roles (like Owner) would still have the permission. Also, this does not prevent creation of keys via service accounts themselves.
- C
Use the Organization Policy Service with the constraint constraints/iam.disableServiceAccountKeyCreation.
This is the correct method. The built-in constraint specifically disables service account key creation across the resource hierarchy.
- D
Create an IAM deny policy at the organization level to deny the permission iam.serviceAccountKeys.create.
Why wrong: While an IAM deny policy could block the permission, Organization Policy is the recommended approach for such resource-level constraints, and the built-in constraint is simpler and more straightforward.