GCP Professional Cloud Architect Practice Question
Your security team mandates that BigQuery data in the analytics-prod project must only be queried from Google-managed laptops that comply with company endpoint policies. In addition, the data must never be copied to projects outside analytics-prod, even if an IAM administrator accidentally grants BigQuery roles to another project's service account. Which security control design best meets both requirements?
Create a VPC Service Controls perimeter around analytics-prod and add an Access Context Manager access level that allows requests only from corporate-managed devices, denying all other egress.
Configure an organization-level hierarchical firewall policy that blocks all egress except to the corporate VPN and turn on BigQuery Data Access audit logs in analytics-prod.
Enable Cloud Identity-Aware Proxy for BigQuery, create a context-aware access policy requiring compliant devices, and export BigQuery audit logs to Cloud Storage for additional monitoring.
Apply an organization policy that disables cross-project data export and enforces CMEK for BigQuery, while routing all traffic through Cloud NAT private IP ranges.
A service perimeter created with VPC Service Controls prevents BigQuery data from being read by resources that are outside the perimeter, even when IAM permissions are misconfigured, thereby blocking cross-project exfiltration. When you attach an Access Context Manager access level that requires requests to originate from company-managed devices, BigQuery queries succeed only from compliant laptops. Identity-Aware Proxy cannot front BigQuery, organization policies cannot stop BigQuery cross-project export, and hierarchical firewall rules are effective only for network traffic to or from VM instances, not for server-to-service API calls such as BigQuery.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VPC Service Controls perimeter?
Open an interactive chat with Bash
What is Access Context Manager and how does it enforce device compliance?
Open an interactive chat with Bash
How does IAM misconfiguration lead to security risks, and how does a VPC Service Controls perimeter mitigate them?
Open an interactive chat with Bash
What is a VPC Service Control perimeter?
Open an interactive chat with Bash
What is Access Context Manager access level and how does it work?
Open an interactive chat with Bash
Why can't Identity-Aware Proxy protect BigQuery?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .