Google Cloud Professional Cloud Security Engineer — Question 297

You run a web application on top of Cloud Run that is exposed to the internet with an Application Load Balancer. You want to ensure that only privileged users from your organization can access the application. The proposed solution must support browser access with single sign-on. What should you do?

Answer options

• A. Change Cloud Run configuration to require authentication. Assign the role of Cloud Run Invoker to the group of privileged users.
• B. Create a group of privileged users in Cloud Identity. Assign the role of Cloud Run User to the group directly on the Cloud Run service.
• C. Change the Ingress Control configuration of Cloud Run to internal and create firewall rules to allow only access from known IP addresses.
• D. Activate Identity-Aware Proxy (IAP) on the Application Load Balancer backend. Assign the role of IAP-secured Web App User to the group of privileged users.

Correct answer: D

Explanation

The correct answer is D because activating Identity-Aware Proxy (IAP) allows you to enforce authentication and manage access control seamlessly while enabling single sign-on for browser users. Option A is incorrect as it does not support single sign-on. Option B does not provide the necessary authentication mechanism for browser access, and option C is not suitable as it relies on IP whitelisting instead of user authentication.