Question 27
Domain 3: System HardeningA team is provisioning Kubernetes worker nodes in a cloud environment and wants to follow least-privilege principles for node IAM configuration. Which approach best aligns with this goal?
Correct answer: B
Explanation
Cluster nodes should receive only the IAM permissions required for their specific node functions, rather than broad or administrative access. Least privilege reduces the impact of node compromise and limits unnecessary cloud-provider capabilities. — cks_syllabus.txt
Why each option is right or wrong
A. Assign a broad IAM role so nodes can perform any cloud action that a workload might eventually need.
Least privilege limits permissions to required node functions, not potential future workload actions.
B. Assign each cluster node only the IAM permissions needed to perform its required node-level operations.
The source material specifically identifies "Cloud provider IAM least-privilege for cluster nodes" and names IAM and least privilege as the governing concepts. In this scenario, the compliant choice is to give worker nodes only the permissions necessary for their required node-level operations, which directly applies least-privilege IAM to cluster nodes.
C. Assign the same administrative IAM role to all cluster nodes to simplify management across the cluster.
Least privilege does not support administrative access when narrower permissions can satisfy node requirements.
D. Assign no IAM role to cluster nodes because least privilege always means removing all cloud permissions entirely.
Least privilege allows necessary permissions; it does not require eliminating permissions needed for node operation.