Google Cloud Professional Cloud Security Engineer — Question 202

Your organization is deploying a new web application on Compute Engine and needs robust perimeter security. You need to protect the application from common web attacks, including SQL injection and cross-site scripting (XSS), while also controlling network traffic based on the source IP address and user identity. What should you do?

Answer options

• A. Implement Cloud Load Balancing and Cloud DNS. Set up Cloud CDN to cache content and mitigate some DDoS attacks. Configure Cloud Armor to provide layer 7 protection.
• B. Deploy Cloud Armor with its default WAF rules enabled. Configure network firewall rules on the Compute Engine instances to control all traffic based on source IP addresses. Use Cloud IAM to manage which users have roles granting access to the web application.
• C. Use Google Cloud Armor with pre-configured WAF rules to filter malicious traffic. Implement VPC Service Controls to create a secure perimeter around the application's resources. Manage users with Cloud IAM.
• D. Deploy Cloud Armor, and configure Cloud Firewall rules to control traffic based on source IP addresses. Integrate with Identity-Aware Proxy to control access based on user identity.

Correct answer: D

Explanation

The correct answer, D, effectively combines Cloud Armor for application-level security with Cloud Firewall rules to filter traffic by IP address and Identity-Aware Proxy for user identity-based access control. Options A and C do not fully address user identity management, while B lacks the integration of Identity-Aware Proxy, which is crucial for controlling access based on user identity.