Exam Cloud Digital Leader topic 1 question 39 discussion

Correct answer is D. Question is tricky, but it says "based" in Canada. That is not the same as restricting access to "from Canada". An employee can for instance be based in Canada, but access the services while on business trip to Singapore.

Imagine a lock on your bucket. You want only Canadian employees to have keys. Here's the easiest way: Make a key club: Create a group called "Canada Keys". Add all Canadian employees: Give everyone in that group a key. Keep outsiders out: No key, no entry to the bucket! This way, you manage one key club instead of many individual keys, making it easier to add/remove people and keeping your bucket secure. Clear as day?

Correct Option is B. Configure Google Cloud Armor to allow access to the bucket only from IP addresses based in Canada. Explanation: Google Cloud Armor provides security policies that can be applied to your Google Cloud services, including Cloud Storage. By configuring it to allow access only from Canadian IP addresses, you can effectively restrict access to the bucket based on geographical location. This approach ensures that only users connecting from Canada can access the bucket, aligning with your organization's requirement without needing to manage individual user permissions or groups.

IP is a poor way to restrict access. Employees based in Canada could be working from anywhere.

I found an excellent explanation on this site, the questions seem to be verified there https://techcertificationhelp.com/cloud-digital-leader/only-employees-who-are-based-in-canada-should-be-allowed-to-view-the-c

I think 'B' may be the option. question says "Only employees who are based in Canada" and considering the Google's security policy of 'Least Privilege Access' , option D, will give access to all Canada Employees, where they need to have access or not, which may be a security threat

If read carefully, question is granting access for "employees based in Canada" and not "employees in Canada". This makes a lot of different. Correct answer is D.

D is correct

D is correct.

D in correct

B is correct

Although a bit old I found this on Serverfault: "But, IP deny list/allow list for HTTP(S) Load Balancing is not supported for Cloud Storage backends. See Security Policy Concepts - Restrictions for details. " Thus, the answer must be D. (I Hope). Reference: https://serverfault.com/questions/992666/using-google-cloud-armor-to-block-requests-to-google-cloud-storage

Option D is the most effective and efficient way to restrict access to the bucket. Creating a group consisting of all Canada-based employees and giving the group access to the bucket will allow you to easily manage access to the bucket. You can add or remove employees from the group as needed, and you can give the group different levels of access to the bucket.

ip restrictions can be bypassed

To restrict access to a Cloud Storage bucket and ensure that only employees based in Canada can view its contents, you can use Cloud Identity and Access Management (Cloud IAM) in combination with Identity-Aware Proxy (IAP). By combining Cloud IAM and IAP, you can enforce fine-grained access control to the Cloud Storage bucket. Only employees based in Canada, as defined in the Cloud IAM roles and IAP access policy, will be able to view the bucket's contents. This provides an effective and efficient way to satisfy the access restriction requirement while leveraging Google Cloud's built-in identity and access management capabilities.

The answer should be B. In this case, you can create a rule that allows access to the Cloud Storage bucket only from IP addresses based in Canada. This will ensure that only employees who are based in Canada will be able to access the bucket. D is not the most effective way to restrict access to the bucket. If an employee is added to the group, they would be able to access the bucket, even if they are not based in Canada.

"based", not "in"