Prevent External Access to Google App Engine Application
Question
Your company is using GSuite and has developed an application meant for internal usage on Google App Engine.
You need to make sure that an external user cannot gain access to the application even when an employee's password has been compromised.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The best solution to prevent external users from gaining access to an application even if an employee's password is compromised in the described scenario is to configure Cloud Identity-Aware Proxy (Cloud IAP) for the App Engine Application.
Cloud Identity-Aware Proxy (Cloud IAP) is a security feature offered by Google Cloud Platform (GCP) that allows administrators to control access to their applications and VMs based on the user's identity and context of their request. By configuring Cloud IAP, administrators can restrict access to their application to only authenticated and authorized users while blocking external users from accessing the application.
When Cloud IAP is enabled for an application, the user is first required to authenticate themselves before they can access the application. Additionally, the user's access to the application is based on their identity and role, rather than their IP address or other network-based characteristics.
Therefore, even if an employee's password is compromised, external users will not be able to access the application as Cloud IAP will only allow access to authenticated and authorized users. It provides an additional layer of security to the authentication process, and hence it is an effective solution to prevent unauthorized access.
Option A, enforcing 2-factor authentication in GSuite for all users, is a good security practice, but it may not be enough to prevent unauthorized access to the application. 2-factor authentication provides an additional layer of security to the authentication process, but it does not restrict access to the application based on the user's identity and role.
Option C, provisioning user passwords using GSuite Password Sync, is also a good security practice but does not address the issue of preventing unauthorized access to the application.
Option D, configuring Cloud VPN between your private network and GCP, is not relevant to the scenario as it does not address the issue of securing the application on Google App Engine. Cloud VPN is used to securely connect two networks over the internet and provides secure access to resources in the private network.
