🔥 3-day streak
Professional Cloud Security Engineer25 / 152
Question 25 of 152
Your organization runs CI/CD pipelines in Cloud Build to deploy applications to Cloud Run. A recent security review found that the pipelines use the default Cloud Build service account, which has broad Editor-level permissions across the project. A malicious commit could therefore let a build step create resources or modify IAM policies far beyond deployment needs. The security team wants to reduce the blast radius of a compromised build while keeping deployments functional. What is the most appropriate action?
Reviewed for accuracy · Report an issueNext question