Google Cloud Professional Cloud Security Engineer — Question 166
You work for an ecommerce company that stores sensitive customer data across multiple Google Cloud regions. The development team has built a new 3-tier application to process orders and must integrate the application into the production environment.
You must design the network architecture to ensure strong security boundaries and isolation for the new application, facilitate secure remote maintenance by authorized third-party vendors, and follow the principle of least privilege. What should you do?
Answer options
- A. Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Provide vendors with SSH keys and root access only to the instances within the VPC for maintenance purposes.
- B. Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors and grant the network admin role to the vendors. Deploy a VPN appliance and rely on the vendors’ configurations to secure third-party access.
- C. Create separate VPC networks for each tier. Use VPC peering between application tiers and other required VPCs. Enable Identity-Aware Proxy (IAP) for remote access to management resources, limiting access to authorized vendors.
- D. Create a single VPC network and create different subnets for each tier. Create a new Google project specifically for the third-party vendors. Grant the vendors ownership of that project and the ability to modify the Shared VPC configuration.
Correct answer: C
Explanation
Option C is correct as it establishes separate VPC networks for each tier and integrates Identity-Aware Proxy (IAP) to manage access securely, ensuring that only authorized vendors can connect remotely. Option A fails to enforce least privilege by granting root access to vendors, while option B relies on vendor configurations for security, which can be risky. Option D provides too much control to vendors by granting them ownership of the project, compromising security.