Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Use predefined IAM roles tailored to each team's access needs, such as Storage Object Viewer and Storage Object User. Utilize customer-supplied encryption keys (CSEK) and enforce TLS encryption. Turn on both Object Versioning and Cloud Audit Logs for the storage buckets.

Option C is the correct answer because it comprehensively addresses all requirements: (1) It uses predefined IAM roles (e.g., Storage Object Viewer for read-only, Storage Object User for read-write) to manage varying access levels efficiently, adhering to the principle of least privilege. (2) It protects data in transit with TLS encryption and at rest with customer-supplied encryption keys (CSEK), ensuring the organization retains full control over encryption keys as required. (3) It enables Object Versioning to track file changes and Cloud Audit Logs for auditing access, meeting compliance needs. Other options are less suitable: A lacks CSEK for key control and relies on monitoring alerts instead of robust auditing; B uses inefficient individual permissions and ACLs, and lacks CSEK; D uses inefficient object-level permissions, third-party encryption (which may not integrate well with GCP services), and network logs (which are insufficient for detailed access auditing). The community discussion strongly supports C, with 100% consensus and upvotes highlighting CSEK for compliance and IAM roles for access control.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

Your organization handles sensitive customer data stored in Google Cloud Storage buckets. You need to secure these buckets to meet the following requirements:

Multiple teams require different levels of access (e.g., read-only, read-write).

Data must be protected both in transit and at rest.

It is critical to log and audit all file access and changes for compliance.

The organization must retain full control over the data encryption keys for compliance.

What should you do?

Create IAM groups for each team and manage permissions at the group level. Employ server-side encryption and Object Versioning by Google Cloud Storage. Configure cloud monitoring tools to alert on anomalous data access patterns.

25.0%

Set individual permissions for each team and apply access control lists (ACLs) to each bucket and file. Enforce TLS encryption for file transfers. Enable Object Versioning and Cloud Audit Logs for the storage buckets.

25.0%

Use predefined IAM roles tailored to each team's access needs, such as Storage Object Viewer and Storage Object User. Utilize customer-supplied encryption keys (CSEK) and enforce TLS encryption. Turn on both Object Versioning and Cloud Audit Logs for the storage buckets.

50.0%

Assign IAM permissions for all teams at the object level. Implement third-party software to encrypt data at rest. Track data access by using network logs.