Answer: Grant IAM read-only access to users, and use default ACLs on the bucket., Use signed URLs to generate time-bound access to objects.

### Correct Answers: - **Grant IAM read-only access to users, and use default ACLs on the bucket.** - Granting IAM roles is a best practice for access control. Using default ACLs (which typically deny public access) is safe. Read-only access adheres to the principle of least privilege for sensitive data, making this a recommended practice. - **Use signed URLs to generate time-bound access to objects.** - Signed URLs are ideal for providing temporary access to objects without requiring users to have Google accounts or IAM permissions. This is particularly useful for controlled access by external users to sensitive data. ### Incorrect Options: - **Grant no Google Cloud Identity and Access Management (Cloud IAM) roles to users, and use granular ACLs on the bucket.** - Relying solely on ACLs without IAM is not advisable. IAM offers centralized, manageable, and more granular access control, whereas ACLs are legacy and limited in both granularity and auditability. - **Create randomized bucket and object names. Enable public access, but only provide specific file URLs to people who do not have Google accounts and need access.** - Enabling public access for PII and sensitive data poses a significant security risk. Randomized names do not ensure security, as security through obscurity is unreliable. ### Conclusion: The best practices for securing sensitive data in GCS involve using IAM roles for internal access and signed URLs for temporary, controlled external access.

Author: LeetQuiz Editorial Team