Identifying Potential Malicious Actors with Minimal Disruption
Question
Your company offers a popular gaming service.
Your instances are deployed with private IP addresses, and external access is granted through a global load balancer.
You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address.
You want to identify this actor while minimizing disruption to your legitimate users.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
In this scenario, the company offers a gaming service with instances deployed with private IP addresses and external access is granted through a global load balancer. The company suspects a potential malicious actor but is uncertain about the client IP address. The company wants to identify the actor while minimizing disruption to legitimate users.
Option A: Create a Cloud Armor Policy rule that denies traffic and review necessary logs. This option suggests creating a Cloud Armor policy rule that denies traffic and reviewing necessary logs. Cloud Armor is a web application firewall that allows users to defend their applications and services against layer 7 attacks. The Cloud Armor policy can be configured to block or allow traffic based on predefined rules or custom rules. However, this option does not mention enabling any preview mode or taking any additional measures to minimize disruption to legitimate users.
Option B: Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs. This option suggests creating a Cloud Armor policy rule that denies traffic, enabling preview mode, and reviewing necessary logs. Preview mode allows users to test the effect of a policy rule without actually enforcing it. This option can help minimize disruption to legitimate users by allowing the company to test the policy rule without actually blocking traffic. However, preview mode does not provide a complete solution, as it does not actually block malicious traffic.
Option C: Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs. This option suggests creating a VPC firewall rule that denies traffic, enabling logging, and setting enforcement to disabled, and reviewing necessary logs. VPC firewall rules are used to control traffic to and from instances in a VPC network. Enabling logging can help identify potential malicious traffic, and setting enforcement to disabled can help minimize disruption to legitimate users. However, this option does not provide a complete solution, as it does not actually block malicious traffic.
Option D: Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs. This option suggests creating a VPC firewall rule that denies traffic, enabling logging, setting enforcement to enabled, and reviewing necessary logs. This option provides a complete solution by actually blocking malicious traffic and enabling logging to identify potential malicious traffic. However, setting enforcement to enabled may result in the disruption of legitimate users, so it is important to review the logs carefully to minimize any disruption.
In summary, option D is the most appropriate solution to identify a potential malicious actor while minimizing disruption to legitimate users. It suggests creating a VPC firewall rule that denies traffic, enabling logging, setting enforcement to enabled, and reviewing necessary logs.
