Exam Professional Cloud Security Engineer topic 1 question 224 discussion

C - https://cloud.google.com/iap#section-2

Using IAP is more secure and cost effective than Bastion VM (VM cost+ maintenace). Specially IAP is a managed security solution.

C. Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range. Grant the role of an IAP-secured Tunnel User to the administrators. Google's Identity-Aware Proxy allows you to establish a secure and context-aware access to your VMs without using a traditional VPN. It's a cost-efficient and secure method, especially for occasional access. You can enforce identity and context-aware access controls, ensuring only authorized users can SSH into the VMs.

Typical use case for IAP

I think only option A is cost effective. so, I choose option A

C. Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range. Grant the role of an IAP-secured Tunnel User to the administrators. This is a good option for organizations that want to use IAP to secure their remote access. IAP is a Google-managed service that provides a secure way to access Google Cloud resources from the internet. D. Create a jump host instance with public IP. Manage the instances by connecting through the jump host. This is a good option for organizations that want to have a secure way to manage their VMs without exposing them to the public internet. The jump host is a server that is exposed to the public internet and has access to the VMs. Administrators can connect to the jump host and then use it to manage the VMs. In this case, the best option is to create a jump host instance with public IP. This will allow administrators to manage the VMs securely without exposing them to the public internet. The jump host can be configured with a firewall rule to only allow traffic from trusted IP addresses. This will help to protect the VMs from unauthorized access.

C - correct. With TCP forwarding, IAP can protect SSH and RDP access to your VMs hosted on Google Cloud. Your VM instances don't even need public IP addresses. https://cloud.google.com/iap#section-2