Exam Professional Cloud Security Engineer topic 1 question 15 discussion

Correct ans is C. The credentials are retrieved from the metedata server

Correct Answer is (B): If your application runs inside a Google Cloud environment that has a default service account, your application can retrieve the service account credentials to call Google Cloud APIs. Such environments include Compute Engine, Google Kubernetes Engine, App Engine, Cloud Run, and Cloud Functions. We recommend using this strategy because it is more convenient and secure than manually passing credentials. Additionally, we recommend you use Google Cloud Client Libraries for your application. Google Cloud Client Libraries use a library called Application Default Credentials (ADC) to automatically find your service account credentials. ADC looks for service account credentials in the following order: https://cloud.google.com/docs/authentication/production#automatically

A. Although it would work, but it is less preferred method and are error prone. B. Storing credentials in config is not good idea. C. Is preferred method as applications can get credentials from instance metadata securely. D. does not suggest controlled access, only encryption.

C. Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

correct is B: Utilizzare un service account con accesso in sola lettura al bucket di Cloud Storage e archiviare le credenziali del service account nella configurazione dell'applicazione sull'istanza di Compute Engine. Utilizzando un service account con accesso in sola lettura al bucket di Cloud Storage, puoi fornire all'applicazione le credenziali necessarie per leggere i dati dal bucket. Archiviando le credenziali del service account nella configurazione dell'applicazione sull'istanza di Compute Engine, garantisce che solo l'applicazione su quell'istanza abbia accesso alle credenziali e, di conseguenza, al bucket. Questa opzione offre il principio del privilegio minimo, in quanto il service account ha solo i permessi necessari per leggere i dati dal bucket di Cloud Storage e le credenziali sono limitate all'applicazione specifica sull'istanza di Compute Engine. Inoltre, non richiede l'accesso globale ai bucket di Cloud Storage o l'utilizzo di autorizzazioni di accesso di rete basate su indirizzo IP.

C is the most viable option

A CORRECT: It's the only answer when you use ACL to filter local IP's addresses and you can have the bucket without global access. B INCORRET: Doesn't use the least privilege principle. C INCORRECT: What credentials are we talking about!? To do this it's better option B. D INCORRECT: Need global access.

meta data do not set service account

The correct answer is C

The Answer is C If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account key or configuration file that the variable points to. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code. https://cloud.google.com/docs/authentication/production#passing_the_path_to_the_service_account_key_in_code

So is it B or C?

Answer can be either B or C due to the relevance to servicing account. But storing password in app is a worst practice and we read it several times everywhere online hence it results in C as a best answer to handle service account through metadata

I'll go with B. A - ACL's are not able to allow access based on IP C - If you store the credentials in the metadata those will be public accessible by everyone with project access. D - Too complex

c is correct

C is the answer

Hi guys, How do we handle the requirement "does not allow Cloud Storage buckets to be globally readable"? seems none of the answers mention about it

You most likely want to use ACLs if you need to customize access to individual objects within a bucket, since IAM permissions apply to all objects within a bucket. However, you should still use IAM for any access that is common to all objects in a bucket, because this reduces the amount of micro-managing you have to do. A - as per the above documentation ACLs are needed for specific objects inside bucket. B - credentials for the service account shouldn't be stored in the app D - there is no requirement to encrypt the storage data Hence C seems to be the correct one