Exam Associate Cloud Engineer topic 1 question 256 discussion

A. Using Identity-Aware Proxy (IAP): While IAP is a secure method of accessing Compute Engine instances, it typically requires a Google account for authentication, which the consultant does not have.

The correct answer is **C**. To allow an external consultant to access a Linux-based Compute Engine instance, you should: - Instruct the external consultant to generate an **SSH key pair**. This will result in a public key and a private key. - Request the **public key** from the consultant. The public key can be shared without compromising security. - Add the public key to the instance yourself. This will allow the consultant to authenticate with the Compute Engine instance. - Have the consultant access the instance through SSH with their **private key**. The private key should be kept secret and not shared. The other options (A, B, and D) are not correct because they either require the consultant to have a Google account, expose the instance to the public internet, or involve sharing the private key, which is a security risk.

I would say A. https://cloud.google.com/iap/docs/external-identities IAP controls access to your applications and resources. It leverages user identity and the context of a request to determine if a user should be allowed access. IAP is a building block toward BeyondCorp, an enterprise security model that enables employees to work from untrusted networks without using a VPN. By default, IAP uses Google identities and IAM. By leveraging Identity Platform instead, you can authenticate users with a wide range of external identity providers, such as: Email/password OAuth (Google, Facebook, Twitter, GitHub, Microsoft, etc.) SAML OIDC Phone number Custom Anonymous This is useful if your application is already using an external authentication system, and migrating your users to Google accounts is impractical.

The most secure and recommended method for providing SSH access to a consultant who does not have a Google account is to have them generate an SSH key pair, provide you with the public key, and then add it to the instance so they can authenticate using their private key.

IAP can be used for secure SSH access but is only feasible if the consultant has or is provided with a Google account. If providing a Google account is not an option, the best alternative is to use the existing VPN connection with SSH key-based access.

Option A is a valid answer. IAP allows access using third-party identity providers (like SAML, OAuth 2.0), so the consultant doesn't need to have a Google account.

The correct answer is C, why is option A discarded, being complementary with previous answers, see question number 152... It says it very clear, the auditor is connected through the VPN network, if we observe the documentation based on IAP, it is recommended for uses outside the VPN, (...IAP is a building block toward BeyondCorp, an enterprise security model that enables employees to work from untrusted networks without using a VPN....). My answer will be C https://cloud.google.com/iap/docs/external-identities

A. IAP can work with no google account.https://cloud.google.com/iap/docs/external-identities

https://cloud.google.com/iap/docs/external-identities.

Although its confusing and contradicting with Question 152, I would proceed to choose C for this. Question states no google account and the consultant is connected through VPN to the corporate network also its "an instant", not many..

This is correct. For IAP you need a google account. Read the damn question, it clearly states that he doesn't have a google account goshdarnit!

IMO answer is "A". IAP does not require Google account. There are other authentication methods supported by IAP too. Ref: https://cloud.google.com/iap/docs/authenticate-users-external-identities

A requires a Google account and the consultant has not. So it is C.

Should be A based on the previous questions

See responses on question #152 And https://cloud.google.com/iap/docs/external-identities. RE: IAP "This is useful if your application is already using an external authentication system, and migrating your users to Google accounts is impractical"

A (IAP) is the solution

Per ChatGPT, Option C provides a secure and recommended method for granting the external consultant access to the Compute Engine instance using SSH key authentication without the need for a Google account.