You are working at a financial institution that stores mortgage loan approval documents on Cloud Storage.
Any change to these approval documents must be uploaded as a separate approval file, so you want to ensure that these documents cannot be deleted or overwritten for the next 5 years.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
https://cloud.google.com/storage/docs/using-bucket-lockTo ensure that the mortgage loan approval documents stored on Cloud Storage cannot be deleted or overwritten for the next 5 years, you can implement the following solution:
Option A: Create a retention policy on the bucket for the duration of 5 years. Create a lock on the retention policy.
A retention policy can be used to ensure that the objects in the Cloud Storage bucket are retained for a specific period of time. A retention policy can prevent the deletion or modification of objects during the retention period. The retention policy can be set to a specific duration, such as 5 years, to ensure that the objects cannot be deleted or modified during that period.
In addition to setting a retention policy, a lock can also be applied to the retention policy. The lock ensures that the retention policy cannot be modified or deleted until the lock is removed. This provides an extra level of protection to ensure that the mortgage loan approval documents cannot be deleted or modified before the retention period ends.
Option B: Create the bucket with uniform bucket-level access, and grant a service account the role of Object Writer. Use the service account to upload new files.
Uniform bucket-level access is a feature that allows for more consistent access control across all objects in a bucket. With uniform bucket-level access, you can grant access to a service account that has the role of Object Writer. This service account can then be used to upload new files to the bucket.
However, this option does not explicitly prevent the deletion or modification of objects in the bucket. While it is possible to configure the access controls to prevent such actions, it may not be as robust as using a retention policy with a lock.
Option C: Use a customer-managed key for the encryption of the bucket. Rotate the key after 5 years.
Encrypting the mortgage loan approval documents stored in the Cloud Storage bucket can provide an extra layer of protection. By using a customer-managed key for encryption, you can ensure that only authorized users have access to the data.
However, this option does not explicitly prevent the deletion or modification of objects in the bucket. While encryption can help protect against unauthorized access, it may not be sufficient to ensure that the documents are not deleted or modified before the retention period ends.
Option D: Create the bucket with fine-grained access control, and grant a service account the role of Object Writer. Use the service account to upload new files.
Fine-grained access control allows for more specific access control over objects in a bucket. This option is similar to Option B, where a service account with the role of Object Writer is used to upload new files to the bucket.
However, as with Option B, this option does not explicitly prevent the deletion or modification of objects in the bucket. While it is possible to configure the access controls to prevent such actions, it may not be as robust as using a retention policy with a lock.
In conclusion, the best option to ensure that the mortgage loan approval documents stored on Cloud Storage cannot be deleted or overwritten for the next 5 years is Option A: Create a retention policy on the bucket for the duration of 5 years. Create a lock on the retention policy. This option explicitly prevents the deletion or modification of objects in the bucket for the duration of the retention period, providing the most robust protection for the mortgage loan approval documents.