Every employee of your company has a Google account.
Your operational team needs to manage a large number of instances on Compute Engine.
Each member of this team needs only administrative access to the servers.
Your security team wants to ensure that the deployment of credentials is operationally efficient and must be able to determine who accessed a given instance.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keysThe correct answer is C. Ask each member of the team to generate a new SSH key pair and to add the public key to their Google account. Grant the compute.osAdminLogin role to the Google group corresponding to this team.
Explanation: Google Cloud Platform (GCP) provides multiple ways to manage access to compute instances. In this scenario, the operational team needs administrative access to the servers, and the security team wants to ensure operational efficiency while maintaining a log of who accessed a given instance. The solution needs to consider access management, key management, and auditing.
Option A suggests generating a new SSH key pair and giving the private key to each member of the team while configuring the public key in the metadata of each instance. This approach is not operationally efficient, as each team member would need to have access to every instance, making it difficult to audit who accessed what instance.
Option B suggests that each team member generates a new SSH key pair, and their public key is sent to the manager who uses a configuration management tool to deploy those keys on each instance. This approach is operationally efficient and allows the security team to audit the actions of individual users. However, it does not meet the requirement of each team member having access to every instance, which is essential in this scenario.
Option C suggests that each team member generates a new SSH key pair and adds the public key to their Google account. The compute.osAdminLogin role is then granted to the Google group corresponding to this team. This approach provides operational efficiency as each team member can log in to instances using their Google account credentials. Additionally, it allows the security team to audit the actions of individual users.
Option D suggests generating a new SSH key pair, giving the private key to each member of the team, and configuring the public key as a project-wide public SSH key in your Cloud Platform project, allowing project-wide public SSH keys on each instance. This approach is not operationally efficient, as each team member would need to have access to every instance, making it difficult to audit who accessed what instance.
In conclusion, option C is the best approach because it allows the operational team to have access to all instances, and the security team can audit the actions of individual users.