ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Security Engineer All Questions

View all questions & answers for the Professional Cloud Security Engineer exam
Go to Exam

Exam Professional Cloud Security Engineer topic 1 question 8 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 8
Topic #: 1
[All Professional Cloud Security Engineer Questions]

A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the
ERP systems only accept traffic from Cloud Identity-Aware Proxy.
What should the customer do to meet these requirements?

  • A. Make sure that the ERP system can validate the JWT assertion in the HTTP requests.
  • B. Make sure that the ERP system can validate the identity headers in the HTTP requests.
  • C. Make sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
  • D. Make sure that the ERP system can validate the user's unique identifier headers in the HTTP requests.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by KILLMAD at March 9, 2020, 11:01 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ArizonaClassics
Highly Voted 4 years, 9 months ago
A is right see : https://cloud.google.com/iap/docs/signed-headers-howto
upvoted 19 times
...
bolu
Highly Voted 4 years, 3 months ago
Use Cryptographic Verification If there is a risk of IAP being turned off or bypassed, your app can check to make sure the identity information it receives is valid. This uses a third web request header added by IAP, called X-Goog-IAP-JWT-Assertion. The value of the header is a cryptographically signed object that also contains the user identity data. Your application can verify the digital signature and use the data provided in this object to be certain that it was provided by IAP without alteration. So answer is A
upvoted 15 times
...
BPzen
Most Recent 5 months, 2 weeks ago
Selected Answer: B
Cloud Identity-Aware Proxy (IAP) and Identity Headers: When IAP intercepts a request to your ERP system, it adds special identity headers to the HTTP request. These headers contain information about the authenticated user, such as their email address and group memberships. Validating Headers: Your ERP system needs to be configured to read and validate these identity headers. This allows the ERP system to: Confirm the user's identity: Verify that the user has been authenticated by IAP. Enforce authorization: Use the information in the headers (like group membership) to determine what the user is allowed to do within the ERP system. Why other options are incorrect: A. JWT Assertion: While IAP can use JWTs, it primarily relies on identity headers for this type of authentication.
upvoted 1 times
...
cyberpunk21
1 year, 8 months ago
Selected Answer: B
How is A, A talks about using JWT which is used for signed headers in IAP and B talks about actual header which we get when using IAP so B is correct not A
upvoted 1 times
...
civilizador
1 year, 10 months ago
The answer is B. The question says ONLY from IAP! what will prevent me from sending the request with JWT in the header without IAP?? Validating the JWT assertion can be part of the overall authentication and authorization process in the ERP system. However, to specifically enforce that traffic is coming from Cloud Identity-Aware Proxy, validating the identity headers added by IAP is more appropriate. These headers contain information about the authenticated user and the authentication method used by Cloud Identity-Aware Proxy. By validating these headers, the ERP system can verify that the request originated from Cloud Identity-Aware Proxy, which acts as the front-end for authentication and access control.
upvoted 1 times
...
GCP72
2 years, 8 months ago
Selected Answer: A
The correct answer is A
upvoted 3 times
...
sc_cloud_learn
3 years, 11 months ago
Agree A makes more sense
upvoted 3 times
...
DebasishLowes
4 years, 2 months ago
Ans is A
upvoted 3 times
...
saurabh1805
4 years, 6 months ago
A is correct option here.
upvoted 1 times
...
MohitA
4 years, 8 months ago
A is the one
upvoted 1 times
...
KILLMAD
5 years, 1 month ago
Ans is A
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago