Google Professional Cloud Security Engineer Exam - Topic 4 Question 5 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam

Question #: 5
Topic #: 4

[All Professional Cloud Security Engineer Questions]

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.

Which option meets the requirement of your team?

ACreate a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.

BUse a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.

CUse a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

DEncrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.

Show Suggested Answer

Suggested Answer: C

by Latrice at May 06, 2022, 04:40 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Security Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Lonna

4 months ago

D doesn't really address the access issue, just encryption.

upvoted 0 times

...

Nakita

4 months ago

A is a bad idea, IP addresses can change.

upvoted 0 times

...

Teri

4 months ago

Wait, can you really retrieve credentials from instance metadata?

upvoted 0 times

...

Annelle

4 months ago

I disagree, B seems safer with stored credentials.

upvoted 0 times

...

Lorrie

5 months ago

Option C is the best choice for least privilege.

upvoted 0 times

...

Katy

5 months ago

I remember that encrypting data with Cloud KMS is important, but it doesn't seem to directly address the access control issue we have here.

upvoted 0 times

...

Bobbye

5 months ago

I feel like we practiced a similar question where we had to ensure least privilege, but I can't recall if using ACLs was a good idea or not.

upvoted 0 times

...

Theresia

5 months ago

I think option C sounds familiar; using instance metadata to retrieve credentials seems like a good way to avoid hardcoding them.

upvoted 0 times

...

Carmen

5 months ago

I remember we discussed the importance of using service accounts for accessing resources securely, but I'm not sure if storing credentials in the app config is the best practice.

upvoted 0 times

...

Tasia

5 months ago

Okay, I've got a strategy here. I'll think about typical email attachments and try to pick the largest size that still seems reasonable for a user interface to handle without slowness.

upvoted 0 times

...

Stephaine

5 months ago

I'm pretty confident I can handle this one. The key is to focus on the false statements, since we need to choose two.

upvoted 0 times

...

Rashad

5 months ago

I'm not entirely sure about this one. I know ExpressRoute is an Azure connectivity option, but I'm not confident about the other choice. I'll have to make an educated guess and hope for the best.

upvoted 0 times

...

Alease

5 months ago

I'm pretty confident I know the encryption types supported by Policy Palette, so I'll carefully review the options and select the two correct ones.

upvoted 0 times

...