For this question, refer to the Dress4Win case study. You are responsible for the security of data stored in Cloud Storage for your company, Dress4Win. You have already created a set of Google Groups and assigned the appropriate users to those groups. You should use Google best practices and implement the simplest design to meet the requirements.
Considering Dress4Win’s business and technical requirements, what should you do?
A. Assign custom IAM roles to the Google Groups you created in order to enforce security requirements. Encrypt data with a customer-supplied encryption key when storing files in Cloud Storage.
B. Assign custom IAM roles to the Google Groups you created in order to enforce security requirements. Enable default storage encryption before storing files in Cloud Storage.
C. Assign predefined IAM roles to the Google Groups you created in order to enforce security requirements. Utilize Google’s default encryption at rest when storing files in Cloud Storage.
D. Assign predefined IAM roles to the Google Groups you created in order to enforce security requirements. Ensure that the default Cloud KMS key is set before storing files in Cloud Storage.
A & B are simply ruled out as Google recommends using pre defined roles where-ever possible for large workloads.
D : As per case study. It is a requirement : Encrypt data on the wire and at rest
C is correct: https://cloud.google.com/iam/docs/understanding-service-accounts as CMK will make it complex
I think it should be A, as we should use CMKs and only option A has that.
I would select C.
There is no requirement customer manages key by themselves. So Google-managed key should be good enough.
Predefined IAM roles should be considered first.
https://cloud.google.com/iam/docs/using-iam-securely
Any comment?
C is correct
Because of “implement the simplest design to meet the requirements.” ?
Yes
Agreed
Not sure it is A or D… “Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions.” and “Before you decide to create a custom role, make sure that there is not already an existing predefined role (or set of roles) for the service that meets your needs.” Looks it depends on whether the predefined roles meet the requirements or NOT….