You are developing a corporate tool on Compute Engine for the finance department, which needs to authenticate users and verify that they are in the finance department. All company employees use G Suite. What should you do?
A.
Enable Cloud Identity-Aware Proxy on the HTTP(s) load balancer and restrict access to a Google Group containing users in the finance department. Verify the provided JSON Web Token within the application.
B.
Enable Cloud Identity-Aware Proxy on the HTTP(s) load balancer and restrict access to a Google Group containing users in the finance department. Issue client-side certificates to everybody in the finance team and verify the certificates in the application.
C.
Configure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Verify the provided JSON Web Token within the application.
D.
Configure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Issue client side certificates to everybody in the finance team and verify the certificates in the application.
https://cloud.google.com/armor/docs/security-policy-overview#:~:text=Google%20Cloud%20Armor%20security%20policies%20enable%20you%20to%20allow%20or,Private%20Cloud%20(VPC)%20networks.:
"Google Cloud Armor security policies protect your application by providing Layer 7 filtering and by scrubbing incoming requests for common web attacks or other Layer 7 attributes to potentially block traffic before it reaches your load balanced backend services or backend buckets"
C and D are wrong.
https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id:
"To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API"
A is correct
A. Enable Cloud Identity-Aware Proxy (IAP) on the HTTP(s) load balancer and restrict access to a Google Group containing users in the finance department. Verify the provided JSON Web Token within the application.
Cloud IAP allows you to manage access to your web applications running on Compute Engine by verifying a user’s identity and determining if that user should be allowed to access the application. You can integrate Cloud IAP with Google Groups to restrict access to specific groups within your G Suite domain, such as a group for the finance department. When a user authenticates via Cloud IAP, a JSON Web Token (JWT) is issued that can be used within your application to further verify the user's identity and departmental membership.
Option A is the correct solution because it uses Cloud Identity-Aware Proxy (IAP) to authenticate and authorize users to access the application. IAP verifies the identity of users accessing the application through G Suite and checks if they are members of the specified Google Group. IAP also verifies the JSON Web Token (JWT) provided in the request to ensure that the request is legitimate.
Option B is not a correct solution because it does not use IAP to authenticate and authorize users. It only issues client-side certificates to users in the finance department, but does not have a way to verify that the user presenting the certificate is actually the owner of the certificate.
Option C is not a correct solution because it uses Cloud Armor Security Policies to restrict access based on IP addresses, but does not have a way to authenticate and authorize users.
Option D is not a correct solution because it combines the use of Cloud Armor Security Policies and client-side certificates, but does not have a way to authenticate and authorize users. It also does not have a way to verify the legitimacy of the requests.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
donchick
Highly Voted 3 years, 10 months agosyu31svc
Highly Voted 3 years, 3 months agosantoshchauhan
Most Recent 7 months, 3 weeks ago__rajan__
1 year, 1 month agoomermahgoub
1 year, 9 months agoomermahgoub
1 year, 9 months agoomermahgoub
1 year, 9 months agoomermahgoub
1 year, 9 months agotomato123
2 years, 2 months agocloud_enth0325
2 years, 5 months agomorenocasado
2 years, 7 months agodishum
2 years, 7 months agodishum
2 years, 5 months agoworiheck93
3 years, 1 month ago