Google Cloud Professional Cloud Security Engineer — Question 90

You are a member of your company's security team. You have been asked to reduce your Linux bastion host external attack surface by removing all public IP addresses. Site Reliability Engineers (SREs) require access to the bastion host from public locations so they can access the internal VPC while off-site. How should you enable this access?

Answer options

• A. Implement Cloud VPN for the region where the bastion host lives.
• B. Implement OS Login with 2-step verification for the bastion host.
• C. Implement Identity-Aware Proxy TCP forwarding for the bastion host.
• D. Implement Google Cloud Armor in front of the bastion host.

Correct answer: C

Explanation

The correct option is C, as Identity-Aware Proxy TCP forwarding allows secure access to the bastion host without exposing it to the public internet. Option A, Cloud VPN, requires maintaining a VPN connection, which might not be as convenient for off-site access. Option B, OS Login with 2-step verification, enhances security but does not address the need for public access. Option D, Google Cloud Armor, provides DDoS protection but does not facilitate the required access for SREs.