Your organization needs to restrict access to a Cloud Storage bucket. Only employees who are based in Canada should be allowed to view the contents.
What is the most effective and efficient way to satisfy this requirement?
Your organization needs to restrict access to a Cloud Storage bucket. Only employees who are based in Canada should be allowed to view the contents.
What is the most effective and efficient way to satisfy this requirement?
The most effective and efficient way to restrict access to a Cloud Storage bucket so that only employees based in Canada can view its contents is to create a group consisting of all Canada-based employees and give the group access to the bucket. This method allows for straightforward management as employees move in and out of the group, ensuring that only those who are based in Canada have access, regardless of their current physical location. This approach also simplifies the process of granting or revoking access rights.
Correct answer is D. Question is tricky, but it says "based" in Canada. That is not the same as restricting access to "from Canada". An employee can for instance be based in Canada, but access the services while on business trip to Singapore.
Imagine a lock on your bucket. You want only Canadian employees to have keys. Here's the easiest way: Make a key club: Create a group called "Canada Keys". Add all Canadian employees: Give everyone in that group a key. Keep outsiders out: No key, no entry to the bucket! This way, you manage one key club instead of many individual keys, making it easier to add/remove people and keeping your bucket secure. Clear as day?
To restrict access to a Cloud Storage bucket and ensure that only employees based in Canada can view its contents, you can use Cloud Identity and Access Management (Cloud IAM) in combination with Identity-Aware Proxy (IAP). By combining Cloud IAM and IAP, you can enforce fine-grained access control to the Cloud Storage bucket. Only employees based in Canada, as defined in the Cloud IAM roles and IAP access policy, will be able to view the bucket's contents. This provides an effective and efficient way to satisfy the access restriction requirement while leveraging Google Cloud's built-in identity and access management capabilities.
Option D is the most effective and efficient way to restrict access to the bucket. Creating a group consisting of all Canada-based employees and giving the group access to the bucket will allow you to easily manage access to the bucket. You can add or remove employees from the group as needed, and you can give the group different levels of access to the bucket.
I found an excellent explanation on this site, the questions seem to be verified there https://techcertificationhelp.com/cloud-digital-leader/only-employees-who-are-based-in-canada-should-be-allowed-to-view-the-c
The answer should be B. In this case, you can create a rule that allows access to the Cloud Storage bucket only from IP addresses based in Canada. This will ensure that only employees who are based in Canada will be able to access the bucket. D is not the most effective way to restrict access to the bucket. If an employee is added to the group, they would be able to access the bucket, even if they are not based in Canada.
Although a bit old I found this on Serverfault: "But, IP deny list/allow list for HTTP(S) Load Balancing is not supported for Cloud Storage backends. See Security Policy Concepts - Restrictions for details. " Thus, the answer must be D. (I Hope). Reference: https://serverfault.com/questions/992666/using-google-cloud-armor-to-block-requests-to-google-cloud-storage
D in correct
If read carefully, question is granting access for "employees based in Canada" and not "employees in Canada". This makes a lot of different. Correct answer is D.
Yes that is correct
Correct answer is B. Even if a user based in Canada travels abroad, you do NOT want them to be able to have access. The question is badly phrased, but essentially it says "restrict any access outside of Canada" thus correct answer is B.
"based", not "in"
ip restrictions can be bypassed
B is correct
D is correct.
D is correct
I think 'B' may be the option. question says "Only employees who are based in Canada" and considering the Google's security policy of 'Least Privilege Access' , option D, will give access to all Canada Employees, where they need to have access or not, which may be a security threat
IP is a poor way to restrict access. Employees based in Canada could be working from anywhere.