Google Cloud Associate Cloud Engineer — Question 176

You need to manage a third-party application that will run on a Compute Engine instance. Other Compute Engine instances are already running with default configuration. Application installation files are hosted on Cloud Storage. You need to access these files from the new instance without allowing other virtual machines (VMs) to access these files. What should you do?

Answer options

• A. Create the instance with the default Compute Engine service account. Grant the service account permissions on Cloud Storage.
• B. Create the instance with the default Compute Engine service account. Add metadata to the objects on Cloud Storage that matches the metadata on the new instance.
• C. Create a new service account and assign this service account to the new instance. Grant the service account permissions on Cloud Storage.
• D. Create a new service account and assign this service account to the new instance. Add metadata to the objects on Cloud Storage that matches the metadata on the new instance.

Correct answer: C

Explanation

The correct answer is C because creating a new service account specifically for the new instance allows for fine-grained access control to the Cloud Storage files, ensuring that only this instance has the necessary permissions. Options A and B use the default service account, which could grant unintended access to other instances. Option D, while similar to C, incorrectly relies on metadata for access control, which does not restrict file access effectively.