GCP Professional Cloud Architect Practice Question
Your company runs an internal administrative dashboard on Cloud Run. Compliance rules require that only company-managed laptops running Chrome with full-disk encryption enabled and a recent OS patch level can reach the application from any network. The organization already authenticates users with Google Workspace identities and does not want to deploy VPN clients. As the cloud architect, which solution will most efficiently satisfy these requirements?
Protect the service with Cloud Armor and allow only requests whose HTTP User-Agent header matches an approved Chrome version; block all others.
Enroll laptops in Chrome Browser Cloud Management, deploy the Endpoint Verification extension, define an Access Level that requires encrypted, up-to-date managed devices, and attach this Access Level to the Cloud Run service's Identity-Aware Proxy policy.
Grant access only to employees via a custom IAM role and mandate two-step verification for their Google Workspace accounts, without additional device controls.
Put the Cloud Run service behind Private Service Connect, require users to connect through Cloud VPN from the corporate network, and enforce network-based firewall rules.
Chrome Enterprise Premium integrates device trust signals with Google Cloud's context-aware access. When laptops are enrolled in Chrome Browser Cloud Management and have the Endpoint Verification extension, Chrome reports posture attributes such as operating-system version and disk-encryption status to Google. You can create an Access Level in Access Context Manager that specifies required attributes (device_encryption_status = ENCRYPTED, os_version >= required version). Applying this Access Level to the Identity-Aware Proxy policy on the Cloud Run service ensures that only compliant, corporate-managed devices can obtain a session, without relying on network location or VPN.
The other options fail to meet one or more constraints:
Placing the service behind Private Service Connect with VPN limits access by network, not device posture, and contradicts the requirement to avoid VPN clients.
Cloud Armor cannot evaluate device encryption or OS version; filtering by User-Agent is easily bypassed.
IAM roles and two-step verification control who can authenticate but provide no guarantee about the security state of the accessing device.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Chrome Browser Cloud Management?
Open an interactive chat with Bash
What is Access Context Manager and how does it enforce access levels?
Open an interactive chat with Bash
What is the Identity-Aware Proxy (IAP) in Google Cloud?
Open an interactive chat with Bash
What is Chrome Browser Cloud Management?
Open an interactive chat with Bash
What is an Access Level in Access Context Manager?
Open an interactive chat with Bash
How does Identity-Aware Proxy (IAP) protect resources in Cloud Run?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .