Google Cloud Professional Cloud Security Engineer — Question 185

You are developing an application that runs on a Compute Engine VM. The application needs to access data stored in Cloud Storage buckets in other Google Cloud projects. The required access to the buckets is variable. You need to provide access to these resources while following Google- recommended practices. What should you do?

Answer options

• A. Limit the VMs access to the Cloud Storage buckets by setting the relevant access scope of the VM.
• B. Create IAM bindings for the VM’s service account and the required buckets that allow appropriate access to the data stored in the buckets.
• C. Grant the VM's service account access to the required buckets by using domain-wide delegation.
• D. Create a group and assign IAM bindings to the group for each bucket that the application needs to access. Assign the VM's service account to the group.

Correct answer: B

Explanation

The correct answer is B because creating IAM bindings for the VM’s service account allows for fine-grained access control over the specific Cloud Storage buckets needed, which aligns with Google’s best practices. Option A is incorrect because access scopes are broader and may not provide the necessary granularity. Option C is not suitable as domain-wide delegation is typically used for different use cases, and option D complicates access management unnecessarily by introducing a group.