GCP Professional Cloud Security Engineer Practice Question
A healthcare organization manages multiple projects that process protected health information (PHI). You must expand the existing VPC Service Controls service perimeter to include a new BigQuery project called bq-analytics. Leadership worries that an overly strict perimeter might disrupt on-premises integrations that still rely on public endpoints. You need to demonstrate which requests would be denied before the perimeter is enforced, yet avoid any impact on production traffic. Which approach meets these requirements with minimal operational risk?
Rely on BigQuery Cloud Audit Logs in the bq-analytics project to detect permission-denied errors after enforcing the perimeter.
Create a new enforced service perimeter that contains only the bq-analytics project and observe whether applications fail to connect.
First enable Private Google Access on all subnets, then move the bq-analytics project into an enforced perimeter; if issues occur, roll back the subnet setting.
Add the bq-analytics project to the existing service perimeter's dry-run configuration, enable Cloud Logging for VPC Service Controls, and monitor the cloudaudit.googleapis.com/policy logs for violations.
VPC Service Controls provides a dry-run (test) mode that evaluates proposed perimeter changes without enforcing them. By adding the bq-analytics project to the perimeter's dry-run configuration and enabling Cloud Logging, any access that would be blocked after enforcement is instead logged to Cloud Audit Logs under the log name "cloudaudit.googleapis.com/policy." This supplies evidence of potential disruptions while ensuring no production traffic is actually blocked. Creating a separate enforced perimeter, depending solely on BigQuery Audit Logs, or relying on Private Google Access all either risk service interruption or fail to capture VPC Service Controls policy-violation information.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Service Controls?
Open an interactive chat with Bash
How does dry-run mode in VPC Service Controls work?
Open an interactive chat with Bash
What are cloudaudit.googleapis.com/policy logs used for?
Open an interactive chat with Bash
What is VPC Service Controls in GCP?
Open an interactive chat with Bash
What is dry-run mode in VPC Service Controls, and why is it useful?
Open an interactive chat with Bash
What is the purpose of Cloud Logging in relation to VPC Service Controls?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .