CV0-002 · Question #513
A company's Chief Information Officer (CIO) wants to manage PII by delegating access to sensitive files to the human resources department. The cloud engineer is tasked with selecting and implementing
The correct answer is A. Create a group, add users to the group, and apply the appropriate ACL.. To delegate access to sensitive files for a specific department, creating a security group and applying access control lists (ACLs) is the most effective and scalable method. This ensures that all members of the HR department have the correct permissions to PII files.
Question
A company's Chief Information Officer (CIO) wants to manage PII by delegating access to sensitive files to the human resources department. The cloud engineer is tasked with selecting and implementing an appropriate technique to achieve the stated objective. Which of the following control methods would be BEST for the cloud engineer to implement?
Options
- ACreate a group, add users to the group, and apply the appropriate ACL.
- BRestrict the access to originate from the home office only.
- CCreate a shared account for users in the human resources department.
- DImplement multifactor authentication for users in the human resources department.
How the community answered
(26 responses)- A77% (20)
- B12% (3)
- C8% (2)
- D4% (1)
Why each option
To delegate access to sensitive files for a specific department, creating a security group and applying access control lists (ACLs) is the most effective and scalable method. This ensures that all members of the HR department have the correct permissions to PII files.
Creating a group for the Human Resources department and applying an Access Control List (ACL) to the sensitive files allows for efficient management of permissions. All users added to this group will automatically inherit the defined access rights, centralizing access control for the department's PII.
Restricting access by origin IP (e.g., home office) is a network security measure, not an access delegation mechanism for specific departmental users to sensitive files. It controls where access can come from, not who can access specific resources.
Creating a shared account for multiple users is a security anti-pattern as it makes accountability impossible and complicates user management. It violates the principle of least privilege and individual accountability for actions.
Implementing multifactor authentication (MFA) enhances the security of user logins but does not define or delegate specific access permissions to files. MFA strengthens identity verification, but not authorization to resources.
Concept tested: Role-based access control (RBAC) with groups and ACLs
Source: https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
Topics
Community Discussion
No community discussion yet for this question.