GCP Professional Cloud Security Engineer Practice Question

An investment bank runs several Google Cloud projects that store European customer PII. Auditors require that any interactive access by Google personnel to these projects be blocked until the bank's security-operations (SecOps) group explicitly grants just-in-time approval, and that every such event be logged for later review. Routine automated service operations performed by Google must continue without interruption. Which solution best meets these requirements while minimizing operational overhead?

Disable all Google-managed service accounts with an organization policy and encrypt all data with customer-supplied encryption keys (CSEK) to prevent Google from accessing data without the bank's intervention.
Enable Access Approval at the organization level, assign the SecOps Google Group the Access Approval Approver IAM role, and rely on the built-in Access Transparency logs for auditability.
Create a VPC Service Controls perimeter around the projects and deploy a Cloud Function that automatically approves or rejects access requests based on tags supplied by Google support.
Enable only Access Transparency on each project so that any Google access is logged, and periodically review the logs for unauthorized activity.

Report Issue

Answer Description

Access Approval allows customers to place an approval gate in front of any manual (human) access that Google support or engineering staff might need, while not affecting Google's automated system maintenance. Enabling Access Approval at the organization level automatically covers every current and future project unless individually overridden, reducing administrative effort. Granting the SecOps Google Group the predefined IAM role roles/accessapproval.approver lets its members approve or dismiss requests. Access Transparency is activated with Access Approval, ensuring that every provider access attempt and its customer decision are written to audit logs for compliance verification.

The other options do not meet all requirements:

Enabling only Access Transparency creates audit logs but does not block access pending approval.
VPC Service Controls address data exfiltration risks, not provider access, and custom functions cannot intercept Google personnel access.
Disabling Google-managed service accounts or using customer-supplied encryption keys would hinder essential automated maintenance and still would not provide an approve/deny workflow or full audit trail.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.