nerdexam
CompTIA

CV0-003 · Question #533

A cloud architect wants to minimize the risk of having systems administrators in an IaaS compute instance perform application code changes. The development group should be the only group allowed to mo

The correct answer is B. Restrict the file write permissions to the development group only.. To prevent sysadmins from modifying application files while allowing only developers to do so, file write permissions must be restricted to the development group.

Security

Question

A cloud architect wants to minimize the risk of having systems administrators in an IaaS compute instance perform application code changes. The development group should be the only group allowed to modify files in the directory. Which of the following will accomplish the desired objective?

Options

  • ARemove the file write permissions for the application service account.
  • BRestrict the file write permissions to the development group only.
  • CAdd access to the fileshare for the systems administrator's group.
  • DDeny access to all development user accounts

How the community answered

(17 responses)
  • B
    88% (15)
  • C
    6% (1)
  • D
    6% (1)

Why each option

To prevent sysadmins from modifying application files while allowing only developers to do so, file write permissions must be restricted to the development group.

ARemove the file write permissions for the application service account.

Removing write permissions from the application service account would break the application's own ability to write files, not restrict sysadmins from making changes.

BRestrict the file write permissions to the development group only.Correct

Restricting file write permissions to the development group directly enforces the intended access control policy through standard Discretionary Access Control (DAC) on the filesystem. All other accounts, including systems administrators, have no write access by default because they are not members of the group granted that permission.

CAdd access to the fileshare for the systems administrator's group.

Adding fileshare access for the sysadmins group expands their permissions rather than restricts them, which is the opposite of the stated objective.

DDeny access to all development user accounts

Denying all development user accounts would prevent developers from making any code changes, directly contradicting the requirement that developers be the only group allowed to modify files.

Concept tested: Filesystem access control and least privilege in IaaS

Source: https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices

Topics

#access control#file permissions#least privilege#IAM

Community Discussion

No community discussion yet for this question.

Full CV0-003 Practice