Google Cloud Professional Cloud Security Engineer — Question 337

Your organization has an application hosted in Cloud Run. You must control access to the application by using Cloud Identity-Aware Proxy (IAP) with these requirements:

• Only users from the AppDev group may have access.
• Access must be restricted to internal network IP addresses.

What should you do?

Answer options

• A. Deploy a VPN gateway and instruct the AppDev group to connect to the company network before accessing the application.
• B. Create an access level that includes conditions for internal IP address ranges and AppDev groups. Apply this access level to the application's IAP policy.
• C. Configure firewall rules to limit access to IAP based on the AppDev group and source IP addresses.
• D. Configure IAP to enforce multi-factor authentication (MFA) for all users and use network intrusion detection systems (NIDS) to block unauthorized access attempts.

Correct answer: B

Explanation

The correct answer is B because it directly addresses the requirements by creating an access level that combines both the internal IP address conditions and the AppDev group. Option A does not enforce the necessary access controls through IAP, while option C does not utilize IAP access levels effectively. Option D focuses on multi-factor authentication and NIDS, which do not meet the specific access control requirements outlined in the question.