Answer-first summary for fast verification
Answer: Configure Cloud Identity-Aware Proxy for the App Engine Application.
The question focuses on preventing external user access to an internal App Engine application even when an employee's password is compromised. Option B (Configure Cloud Identity-Aware Proxy for the App Engine Application) is the optimal choice because IAP enforces identity-based access controls at the application layer, requiring users to authenticate with their Google accounts and allowing granular policies (e.g., blocking external users based on context like IP or location). This provides a zero-trust security layer independent of password strength. While option A (Enforce 2-factor authentication in GSuite) adds security, it may not fully prevent access if the external user obtains both the password and second factor (e.g., via phishing). Option C (Provision user passwords using GSuite Password Sync) does not address compromised credentials, and option D (Configure Cloud VPN) secures network traffic but does not enforce user-level access controls, potentially allowing authenticated external users to access the app if they have credentials. The community discussion shows a split between A and B, but B is supported by detailed reasoning highlighting IAP's context-aware controls and upvoted comments emphasizing its effectiveness in zero-trust scenarios.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your company uses Google Workspace and has an internal application deployed on Google App Engine. How can you prevent an external user from accessing the application, even if an employee's password is compromised?
A
Enforce 2-factor authentication in GSuite for all users.
B
Configure Cloud Identity-Aware Proxy for the App Engine Application.
C
Provision user passwords using GSuite Password Sync.
D
Configure Cloud VPN between your private network and GCP.
No comments yet.