Google Cloud | Authenticating Finance Department Users on Compute Engine

Authenticate and Verify Finance Department Users on Compute Engine

Prev Question Next Question

Question

You are developing a corporate tool on Compute Engine for the finance department, which needs to authenticate users and verify that they are in the finance department.

All company employees use G Suite.

What should you do?

Answers

A. Enable Cloud Identity-Aware Proxy on the HTTP(s) load balancer and restrict access to a Google Group containing users in the finance department. Verify the provided JSON Web Token within the application.

B. Enable Cloud Identity-Aware Proxy on the HTTP(s) load balancer and restrict access to a Google Group containing users in the finance department. Issue client-side certificates to everybody in the finance team and verify the certificates in the application.

C. Configure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Verify the provided JSON Web Token within the application.

D. Configure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Issue client side certificates to everybody in the finance team and verify the certificates in the application.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

The best approach for this scenario is to use Cloud Identity-Aware Proxy (IAP) and restrict access to a Google Group containing users in the finance department. Then, verify the provided JSON Web Token within the application.

Option A is the correct answer. Here's why:

Cloud Identity-Aware Proxy is a security layer that provides access control for web applications running on Compute Engine or Google Kubernetes Engine. It enables you to control access to your applications and services based on the identity of your users and the context of their request.

To use Cloud IAP, you need to enable it on the HTTP(s) load balancer. Once enabled, you can restrict access to specific groups or individuals. In this case, you would restrict access to a Google Group containing users in the finance department.

In addition to Cloud IAP, you would also need to verify the provided JSON Web Token within the application. A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. In this scenario, the JWT would contain information about the user's identity, such as their email address and group membership.

By verifying the JWT within the application, you can ensure that only authenticated users in the finance department are granted access to the tool.

Option B is not the best answer because it suggests issuing client-side certificates to everybody in the finance team. While client-side certificates can be a valid form of authentication, they can also be difficult to manage at scale. Additionally, using Cloud IAP and a Google Group provides a simpler and more manageable solution.

Option C and D are not the best answers because they rely on restricting access based on corporate IP address ranges. While IP address restrictions can be effective in some scenarios, they are not foolproof. IP addresses can be easily spoofed or changed, and it can be difficult to manage access for remote or mobile users. Additionally, relying solely on IP address restrictions does not provide any information about the user's identity, which is important in this scenario.

Prev Question Next Question