Comprehensive and Detailed Explanation From Exact Extract:
The greatest risk to regulatory compliance stems from violations of the Principle of Least Privilege and the lack of enforced configuration/hardening standards. Regulatory compliance typically mandates strict control over infrastructure and sensitive systems.
Option A (Greatest Risk): Broad IAM roles violate the principle of least privilege, which is a fundamental compliance requirement (e.g., ISO 27001, PCI DSS). Allowing users to create and manage critical resources (VMs) without a pre-defined hardening process means new resources can be deployed in a non-compliant, vulnerable state (e.g., unpatched, open ports, default configurations). This lack of control and excessive access poses an immediate and high risk to the security posture and compliance.
Option B (Risk Reduction): Uniform bucket-level access reduces risk by enforcing a consistent policy for all objects in a bucket, preventing individual object-level IAM policies that can lead to misconfigurations and unauthorized access.
Option C (Risk Reduction): Mandating CMEK is a security-enhancing control that reduces risk by giving the customer exclusive control over the encryption keys for sensitive data, which is a common requirement in regulated environments.
Option D (Necessary Control): Providing the audit team access to Cloud Audit Logs is a compliance requirement for monitoring, accountability, and forensic investigation, not a risk.
Extracts:
"The principle of least privilege states that a user should only be granted the minimum permissions necessary to perform their work. Overly permissive roles introduce a significant risk." (Source 5.1)
"Non-compliant configurations, such as unhardened virtual machines or resources with insufficient security controls, are a major source of security breaches and regulatory findings." (Source 5.2)
