Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Google Professional Cloud Security Engineer Exam - Topic 4 Question 5 Discussion

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.Which option meets the requirement of your team?
C) Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
A) Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
B) Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
D) Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.

Google Professional Cloud Security Engineer Exam - Topic 4 Question 5 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam
Question #: 5
Topic #: 4
[All Professional Cloud Security Engineer Questions]

An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.

Which option meets the requirement of your team?

Show Suggested Answer Hide Answer
Suggested Answer: C

by Latrice at May 06, 2022, 04:40 AM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Security Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lonna
7 months ago
D doesn't really address the access issue, just encryption.
upvoted 0 times
...
Nakita
7 months ago
A is a bad idea, IP addresses can change.
upvoted 0 times
...
Teri
8 months ago
Wait, can you really retrieve credentials from instance metadata?
upvoted 0 times
...
Annelle
8 months ago
I disagree, B seems safer with stored credentials.
upvoted 0 times
...
Lorrie
8 months ago
Option C is the best choice for least privilege.
upvoted 0 times
...
Katy
8 months ago
I remember that encrypting data with Cloud KMS is important, but it doesn't seem to directly address the access control issue we have here.
upvoted 0 times
...
Bobbye
8 months ago
I feel like we practiced a similar question where we had to ensure least privilege, but I can't recall if using ACLs was a good idea or not.
upvoted 0 times
...
Theresia
8 months ago
I think option C sounds familiar; using instance metadata to retrieve credentials seems like a good way to avoid hardcoding them.
upvoted 0 times
...
Carmen
8 months ago
I remember we discussed the importance of using service accounts for accessing resources securely, but I'm not sure if storing credentials in the app config is the best practice.
upvoted 0 times
...
Tasia
8 months ago
Okay, I've got a strategy here. I'll think about typical email attachments and try to pick the largest size that still seems reasonable for a user interface to handle without slowness.
upvoted 0 times
...
Stephaine
8 months ago
I'm pretty confident I can handle this one. The key is to focus on the false statements, since we need to choose two.
upvoted 0 times
...
Rashad
8 months ago
I'm not entirely sure about this one. I know ExpressRoute is an Azure connectivity option, but I'm not confident about the other choice. I'll have to make an educated guess and hope for the best.
upvoted 0 times
...
Alease
8 months ago
I'm pretty confident I know the encryption types supported by Policy Palette, so I'll carefully review the options and select the two correct ones.
upvoted 0 times
...

Save Cancel