Google Cloud Professional Cloud Security Engineer — Question 169

There is a threat actor that is targeting organizations like yours. Attacks are always initiated from a known IP address range. You want to deny-list those IPs for your website, which is exposed to the internet through an Application Load Balancer. What should you do?

Answer options

• A. Create a Cloud Armor policy with a deny-rule for the known IP address range. Attach the policy to the backend of the Application Load Balancer.
• B. Activate Identity-Aware Proxy for the backend of the Application Load Balancer. Create a firewall rule that only allows traffic from the proxy to the application.
• C. Create a log sink with a filter containing the known IP address range. Trigger an alert that detects when the Application Load Balancer is accessed from those IPs.
• D. Create a Cloud Firewall policy with a deny-rule for the known IP address range. Associate the firewall policy to the Virtual Private Cloud with the application backend.

Correct answer: A

Explanation

The correct answer is A because creating a Cloud Armor policy with a deny-rule specifically targets the known malicious IPs and can be directly attached to the Application Load Balancer's backend to prevent any traffic from those addresses. Option B is incorrect as it focuses on allowing only traffic from the proxy, which does not address the issue of blocking the threat actor's IPs. Option C is not effective for prevention, as it only logs and alerts rather than blocking the attacks. Option D is also incorrect because while it involves a deny-rule, it mistakenly associates with the Virtual Private Cloud instead of the Application Load Balancer.