Google Cloud Professional Cloud Security Engineer — Question 346

You work for an organization that handles sensitive customer data. You must secure a series of Google Cloud Storage buckets housing this data and meet these requirements:

• Multiple teams need varying access levels (some read-only, some read-write).
• Data must be protected in storage and at rest.
• It's critical to track file changes and audit access for compliance purposes.
• For compliance purposes, the organization must have control over the encryption keys.

What should you do?

Answer options

• A. Create IAM groups for each team and manage permissions at the group level. Employ server-side encryption and Object Versioning by Google Cloud Storage. Configure cloud monitoring tools to alert on anomalous data access patterns.
• B. Set individual permissions for each team and apply access control lists (ACLs) to each bucket and file. Enforce TLS encryption for file transfers. Enable Object Versioning and Cloud Audit Logs for the storage buckets.
• C. Use predefined IAM roles tailored to each team's access needs, such as Storage Object Viewer and Storage Object User. Utilize customer-supplied encryption keys (CSEK) and enforce TLS encryption. Turn on both Object Versioning and Cloud Audit Logs for the storage buckets.
• D. Assign IAM permissions for all teams at the object level. Implement third-party software to encrypt data at rest. Track data access by using network logs.

Correct answer: C

Explanation

The correct answer is C because it addresses all the requirements: it uses predefined IAM roles for varying access levels, customer-supplied encryption keys for control over encryption, and enables Object Versioning and Cloud Audit Logs for tracking changes and audits. Options A and B do not provide sufficient control over encryption keys, while option D fails to ensure adequate data protection and auditing mechanisms.