Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Activate Identity-Aware Proxy (IAP) on the Application Load Balancer backend. Assign the role of IAP-secured Web App User to the group of privileged users.

The correct answer is D because Identity-Aware Proxy (IAP) is specifically designed for this use case. IAP provides centralized authentication and authorization for applications behind Google Cloud load balancers, integrates seamlessly with Cloud Identity for user management, and supports single sign-on (SSO) through browser access. By activating IAP on the Application Load Balancer backend and assigning the 'IAP-secured Web App User' role to the privileged user group, you ensure only authenticated organizational users can access the Cloud Run service. Option A (Cloud Run authentication) provides basic authentication but lacks the comprehensive SSO integration and centralized management that IAP offers. Option B (Cloud Run User role) doesn't provide the authentication layer needed. Option C (internal ingress with firewall rules) relies on IP-based restrictions rather than user identity, which doesn't meet the SSO requirement and is less secure for user-based access control.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Activate Identity-Aware Proxy (IAP) on the Application Load Balancer backend. Assign the role of IAP-secured Web App User to the group of privileged users.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

You have a web application deployed on Cloud Run that is accessible via an internet-facing Application Load Balancer. Your requirement is to restrict access so that only authorized users from your organization can reach the application through a browser, and the solution must support single sign-on (SSO). What is the correct approach?

Exam-Like