Google Professional Cloud Security Engineer Exam - Topic 4 Question 50 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam

Question #: 50
Topic #: 4

[All Professional Cloud Security Engineer Questions]

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

AImplement Cloud VPN for the region where the bastion host lives.

BImplement OS Login with 2-step verification for the bastion host.

CImplement Identity-Aware Proxy TCP forwarding for the bastion host.

DImplement Google Cloud Armor in front of the bastion host.

Show Suggested Answer

Suggested Answer: C

by Leatha at Jul 21, 2022, 11:40 PM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Security Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Nobuko

4 months ago

B is good for security, but might complicate things for remote access.

upvoted 0 times

...

Darell

4 months ago

Wait, can you really remove all public IPs and still allow access? Sounds tricky!

upvoted 0 times

...

Karl

4 months ago

D seems like overkill for just a bastion host.

upvoted 0 times

...

Annabelle

4 months ago

I think C could work too, but not sure it's the most efficient.

upvoted 0 times

...

Cristina

4 months ago

A is the best option for secure access!

upvoted 0 times

...

Katheryn

5 months ago

Google Cloud Armor sounds familiar, but I don't recall if it's specifically for securing bastion hosts or more for protecting against DDoS attacks.

upvoted 0 times

...

Nancey

5 months ago

I feel like Identity-Aware Proxy TCP forwarding might be the right choice here, especially since it can help manage access based on user identity.

upvoted 0 times

...

Sheron

5 months ago

I think implementing Cloud VPN could be a good option since it allows secure access to the VPC without exposing the bastion host.

upvoted 0 times

...

Chau

5 months ago

I'm not entirely sure, but I remember something about OS Login and 2-step verification being useful for securing access.

upvoted 0 times

...

Loren

5 months ago

I'm a little confused by the "static" option. Does that mean the attribute value won't change? If so, that doesn't seem like the right choice here since we need to synchronize changes from the external system.

upvoted 0 times

...

Dorinda

5 months ago

Hmm, I'm a little unsure about this one. Manufacturing lead time has a few different components, so I'll need to make sure I understand the differences between them.

upvoted 0 times

...

Chan

5 months ago

This is a classic case of the development team trying to get out of doing work they don't want to do. They're probably hoping to get the requirements removed or deprioritized. I'm going to go with A on this one.

upvoted 0 times

...