Exam Associate Cloud Engineer topic 1 question 74 discussion

A correct one

Pure from logic thinking: A can't be right. If the group get access to that instance with enable-oslogin=true, then they could have access to every instance that has enable-oslogin=true. Or do I miss something?

OS Login Feature: OS Login is a feature in GCP that manages SSH access to your Compute Engine instances using IAM (Identity and Access Management) roles. When OS Login is enabled, it allows you to use IAM roles to grant or revoke SSH access to your instances, which can be more secure and manageable than traditional SSH key management. Enabling OS Login: Setting the instance metadata enable-oslogin=true enables the OS Login feature on that specific Compute Engine instance. When OS Login is enabled, traditional SSH keys defined in the project or instance metadata are ignored, and the instance instead relies on IAM roles for SSH access.

A is correct as , it gives the only specific access

https://cloud.google.com/compute/docs/oslogin/set-up-oslogin

Enabling OSLogin allow user to login to Google Cloud credentials to authenticate to instance, instead of SSH key. Granting 'compute.osLogin' to the dev1 lets them login using OSLogin to the resourcee BD are incorrect because "block project-wide SSH keys" is an advance security features taht is used for high secured environment where more granular control over SSH us required C is hassle because it manually ditribute keys to each user in Dev1 which is time consuming

Answer B is incorrect because setting the service account to no service account has no impact on SSH access to the VM instance. Answer C is incorrect because generating an SSH key for each user in the dev1 group and distributing them is cumbersome and not scalable, especially if you have many users. Answer D is incorrect because generating a single SSH key and distributing it to multiple users undermines security, as it means any of the users in possession of the key can access the VM instance.

In my opinion A would be best, but they have to use this and only this 1 instance. You don't know if any other instances has this metadata set up - if they do, dev1 team has also access to this instances, what invalidates the answer. To make sure they are using only this 1 instance, I'd say D.

Based on https://cloud.google.com/compute/docs/oslogin/set-up-oslogin I'd go for A.

The dev1 users should be able to connect only to this VM instance

A correct one

A is the correct answer Granting OS Login IAM roles After you enable OS Login on one or more instances in your project, those VMs accept connections only from user accounts that have the necessary IAM roles in your project or organization. roles/compute.osLogin, which doesn't grant administrator permissions

had this question today

Answer is A

A is correct..

For further evidence... https://cloud.google.com/compute/docs/instances/managing-instance-access

A is correct and recommended option. D is incorrect because block project-wide restrict access to this instance, evidence: https://cloud.google.com/compute/docs/connect/restrict-ssh-keyshttps://cloud.google.com/compute/docs/connect/restrict-ssh-keys