🔥 3-day streak
Professional Cloud Security Engineer151 / 152
Question 151 of 152
Your organization runs applications on AWS EC2 instances that need to read objects from a Cloud Storage bucket in a GCP project. You have already created a workload identity pool and an AWS provider. Security requires that only EC2 instances running under a specific AWS IAM role named 'prod-reader' be permitted to obtain Google credentials, and that no service account keys be created. What is the most appropriate way to enforce this restriction?
Reviewed for accuracy · Report an issueNext question