Practice Test 2 | Google Cloud Certified Professional Cloud Network Engineer | Dumps | Mock Test
As a Network Engineer, you need to design a safe way, using best practice principle of least privilege, for the applications running in compute engine to access a cloud SQL database. Which of the following solutions would you recommend for this?
A. Store the password in a private cloud storage bucket, grant the compute engine instance running the application the default service account for accessing the password in the bucket and the cloud SQL database
B. Store the password in Secret Manager and encrypt it with Cloud KMS. Create a custom service role with permissions to KMS, Secret Manager and Cloud SQL. Assign the custom role to the compute engine instances.
C. Hard code the password into the application in the compute engine instance and assign the compute engine default service account to the instance to grant access to the cloud SQL instance.
D. Store the password in IAM, grant the compute engine instance running the application the default service account for accessing the password and the cloud SQL database
Answer: B
Option A is incorrect because it doesn’t follow the principle of least privilege. The compute engine default service account has a primitive role of editor which is too permissive.
Option B is correct because it uses a custom role with permissions for selected services and it uses the Secret manager service to securely store the database password and encrypt it at rest using cloud KMS.
Option C is incorrect because hardcoding database password into the application is not best practice and using the compute engine default service account is too permissive.
Option D is incorrect because it is not possible to use IAM to store credentials.
See https://cloud.google.com/iam/docs/overview for more information on IAM Roles
See https://cloud.google.com/kms/docs/iam to understand how IAM is integrated with Cloud KMS
See https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets for more information on Secret Manager.
Comments are closed, but trackbacks and pingbacks are open.