Exam Professional Cloud Security Engineer topic 1 question 156 discussion

https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-synchronizing-user-accounts?hl=en https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-synchronizing-user-accounts?hl=en#deciding_where_to_deploy_gcds

C. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity. E. Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group.

Agree: C & E.

Google Cloud Directory Sync (GCDS): Synchronizes user and group data from on-premises Active Directory to Cloud Identity, which is essential for enabling Active Directory as an identity provider. IAM Groups: Google Cloud IAM groups allow permissions to be managed collectively for a group of users. By aligning IAM groups with Active Directory groups, you can streamline access management across Google Cloud resources.

To integrate on-premises Active Directory with Google Cloud for identity and access management, you need to synchronize your Active Directory users and groups with Google Cloud and map them to appropriate IAM permissions. C. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity. Google Cloud Directory Sync (GCDS) is used to synchronize users and groups from an on-premises Active Directory to Cloud Identity or Google Workspace. This ensures that user accounts and group memberships in Google Cloud mirror the structure of your Active Directory. E. Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group. After synchronizing groups from Active Directory to Google Cloud, you create IAM groups in Google Cloud and assign the appropriate permissions. Using IAM groups simplifies access control by allowing permissions to be managed at the group level instead of the user level.

GCDS is already creating the groups automatically. We need to create the IAM roles to assign to those groups. So D, not E

CD Why not E?: IAM groups in Google Cloud are separate entities from IAM roles. While you could create IAM groups that mirror Active Directory groups, directly mapping permissions to IAM roles based on the corresponding Active Directory groups offers a more efficient and granular approach to access control.

Answer is C and D.

ANSWER C and E C. Install Google Cloud Directory Sync and connect it to Active Directory and Cloud Identity: Google Cloud Directory Sync (GCDS) is used to synchronize user and group information from on-premises Active Directory to Google Cloud Identity. This step ensures that user and group information is consistent across both environments. E. Create Identity and Access Management (IAM) groups with permissions corresponding to each Active Directory group: Once the synchronization is set up, you can create IAM groups in Google Cloud that mirror the Active Directory groups. Assign permissions to these IAM groups based on the roles and access levels required for each group. This approach simplifies access management by aligning Google Cloud permissions with existing Active Directory groups.

C and D I think, we don't need to create group, as it will be synced from AD, we only need to focus on creating the role for the group.

Answers: B & C... There is NO such thing as IAM groups in GCP

GCDS is already creating the groups automatically. We need to create the IAM roles to assign to those groups. So D, not E

Bard says CE. User and Groups are already imported with GCDS, so you need to focus on creating roles

Not Ek as the groups are already synced and retrieved, so roles will be attached to them

CE are seems to be coorect. B is required only for SSO. GCDS would also provision user and group.

CD is correct

There is a possibility to synchronize groups between AD and Google Cloud so why not to use it and focus on creating roles https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-introduction?hl=en#mapping_groups