An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket. Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege. Which option meets the requirement of your team?
A) Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.
B) Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
C) Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.
D) Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.
Correct Answer:
Verified
Q1: When working with agents in a support
Q2: An organization is migrating from their current
Q3: A customer deploys an application to App
Q4: A business unit at a multinational corporation
Q5: Your team needs to configure their Google
Q7: A company is running workloads in a
Q8: An organization is starting to move its
Q9: A customer needs to launch a 3-tier
Q10: A website design company recently migrated all
Q11: A customer wants to move their sensitive
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents