Google Cloud Professional Cloud Security Engineer Practice Exam

Which option ensures that a Compute Engine instance can read data from a Cloud Storage bucket while adhering to the principle of least privilege?

• A. Use a public access setting for the bucket
• B. Assign the bucket's owner role to the instance
• C. Use a service account with read-only access to the bucket
• D. Create a new Cloud Storage bucket for the instance

The correct answer is: Use a service account with read-only access to the bucket

Using a service account with read-only access to the bucket is the correct choice to ensure that a Compute Engine instance can read data from a Cloud Storage bucket while adhering to the principle of least privilege. The principle of least privilege dictates that entities, whether users or services, should only have the minimal level of access necessary to perform their job functions. By using a service account specifically granted read-only access to the bucket, you ensure that the Compute Engine instance can access only the data it needs without being able to modify or delete it. This minimizes security risks by limiting the potential impact of an unauthorized access or compromise of the instance. In contrast, using a public access setting for the bucket exposes sensitive data to anyone on the internet, which directly contradicts the principle of least privilege by providing overly broad access. Assigning the bucket's owner role to the instance would grant excessive permissions, allowing the instance to alter or delete content in the bucket, which is more access than necessary. Creating a new Cloud Storage bucket for the instance does not address the need for controlled access to existing data and may lead to unnecessary duplication or management overhead. Therefore, utilizing a service account with read-only access strikes a balance between providing necessary access and maintaining security.