An application running on a Compute Engine instance needs to read data from a Cloud Storage bucket.
Your team does not allow Cloud Storage buckets to be globally readable and wants to ensure the principle of least privilege.
Which option meets the requirement of your team?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The correct answer to this question is B. Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.
Explanation: Cloud Storage buckets can be secured using access control lists (ACLs) and IAM policies. However, in this case, the team does not allow Cloud Storage buckets to be globally readable, which means that the bucket cannot be made public or readable by all authenticated users. Therefore, a service account with read-only access should be used to access the Cloud Storage bucket.
A service account is a special type of Google account that represents an application or a virtual machine instance, rather than a human user. It is used to authenticate and authorize access to Google Cloud Platform services. By using a service account, the principle of least privilege can be applied, as access can be granted to only the resources that the service account needs to access.
Option A suggests creating a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials. This is not the best solution because it is difficult to manage and maintain, and it is not as secure as using a service account. Furthermore, IP addresses can change, and it is not feasible to update the ACL every time the IP address changes.
Option C suggests using a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata. While this is a valid solution, it is not the best solution because the metadata endpoint can be accessed by anyone who has access to the instance. Therefore, the credentials could be compromised if the instance is compromised.
Option D suggests encrypting the data in the Cloud Storage bucket using Cloud KMS and allowing the application to decrypt the data with the KMS key. While this is a valid solution for encrypting data, it does not address the issue of how to securely access the encrypted data. Also, it is not the most efficient solution as decryption can add processing overhead.
Option B is the best solution because it allows a service account with read-only access to the Cloud Storage bucket to be used to securely access the data. The credentials to the service account can be stored in the configuration of the application running on the Compute Engine instance, which is secured by the operating system's security mechanisms. This ensures that only the application on the Compute Engine instance can access the Cloud Storage bucket, and access is granted only to the necessary resources.