Google Associate Cloud Engineer

Get started today

Ultimate access to all questions.

Explanation:

Correct Answers:

Grant IAM read-only access to users, and use default ACLs on the bucket.
- Granting IAM roles is a best practice for access control. Using default ACLs (which typically deny public access) is safe. Read-only access adheres to the principle of least privilege for sensitive data, making this a recommended practice.
Use signed URLs to generate time-bound access to objects.
- Signed URLs are ideal for providing temporary access to objects without requiring users to have Google accounts or IAM permissions. This is particularly useful for controlled access by external users to sensitive data.

Incorrect Options:

Grant no Google Cloud Identity and Access Management (Cloud IAM) roles to users, and use granular ACLs on the bucket.
- Relying solely on ACLs without IAM is not advisable. IAM offers centralized, manageable, and more granular access control, whereas ACLs are legacy and limited in both granularity and auditability.
Create randomized bucket and object names. Enable public access, but only provide specific file URLs to people who do not have Google accounts and need access.
- Enabling public access for PII and sensitive data poses a significant security risk. Randomized names do not ensure security, as security through obscurity is unreliable.

Conclusion:

The best practices for securing sensitive data in GCS involve using IAM roles for internal access and signed URLs for temporary, controlled external access.

Explanation:

Correct Answers:

Grant IAM read-only access to users, and use default ACLs on the bucket.
- Granting IAM roles is a best practice for access control. Using default ACLs (which typically deny public access) is safe. Read-only access adheres to the principle of least privilege for sensitive data, making this a recommended practice.
Use signed URLs to generate time-bound access to objects.
- Signed URLs are ideal for providing temporary access to objects without requiring users to have Google accounts or IAM permissions. This is particularly useful for controlled access by external users to sensitive data.

Incorrect Options:

Grant no Google Cloud Identity and Access Management (Cloud IAM) roles to users, and use granular ACLs on the bucket.
- Relying solely on ACLs without IAM is not advisable. IAM offers centralized, manageable, and more granular access control, whereas ACLs are legacy and limited in both granularity and auditability.
Create randomized bucket and object names. Enable public access, but only provide specific file URLs to people who do not have Google accounts and need access.
- Enabling public access for PII and sensitive data poses a significant security risk. Randomized names do not ensure security, as security through obscurity is unreliable.

Conclusion:

The best practices for securing sensitive data in GCS involve using IAM roles for internal access and signed URLs for temporary, controlled external access.

Comments (0)

No comments yet.

Your company plans to transfer all documents from a secure internal NAS drive to a Google Cloud Storage (GCS) bucket. These documents contain personally identifiable information (PII) and sensitive customer data. Additionally, your company's tax auditors require access to certain documents. What security strategy would you recommend for the GCS bucket?

Real Exam

Create randomized bucket and object names. Enable public access, but only provide specific file URLs to individuals without Google accounts who need access.

2.5%

Use signed URLs to generate time-bound access to objects.

40.0%

Grant no Google Cloud Identity and Access Management (Cloud IAM) roles to users, and use granular ACLs on the bucket.

20.0%

Grant IAM read-only access to users, and use default ACLs on the bucket.