PROFESSIONAL-CLOUD-SECURITY-ENGINEER Question #49: Real Exam Question with Answer & Explanation

Question

A customer implements Cloud Identity-Aware Proxy for their ERP system hosted on Compute Engine. Their security team wants to add a security layer so that the ERP systems only accept traffic from Cloud Identity-Aware Proxy. What should the customer do to meet these requirements?

Options

• AMake sure that the ERP system can validate the JWT assertion in the HTTP requests.
• BMake sure that the ERP system can validate the identity headers in the HTTP requests.
• CMake sure that the ERP system can validate the x-forwarded-for headers in the HTTP requests.
• DMake sure that the ERP system can validate the user's unique identifier headers in the HTTP

Explanation

Why A is correct: Cloud IAP signs every proxied request with a JSON Web Token (JWT) in the X-Goog-IAP-JWT-Assertion HTTP header. By configuring the ERP application to cryptographically validate this signed JWT, it can reject any request that didn't come through IAP - this is the Google-recommended pattern for ensuring backend services only accept IAP-authenticated traffic.

Why the distractors are wrong:

• B is vague and misleading - "identity headers" aren't a defined IAP security mechanism; IAP's actual identity information is inside the JWT, not in a separate plain-text header.
• C is wrong because X-Forwarded-For only shows IP addresses of intermediaries and can be spoofed; it provides no cryptographic proof that traffic came from IAP.
• D is wrong for the same reason as B - a plain user identifier header carries no signature and can be forged by any client bypassing IAP.

Memory tip: Think "JWT = cryptographic proof." Any plain header (identity, user ID, forwarded-for) can be faked by an attacker who bypasses the proxy. Only a signed JWT proves the request actually passed through Cloud IAP, because only Google holds the signing key.

No community discussion yet for this question.