GCP Professional Cloud Security Engineer Practice Question
You are implementing a BeyondCorp security model for an internal HR self-service portal that will run on Cloud Run and be protected by Cloud IAP. Only employees using company-managed devices that satisfy minimum security posture (screen lock and encryption) and that originate from the corporate VPN's CIDR block should be able to reach the service. With minimal ongoing operational effort, which Access Context Manager configuration will best enforce these requirements?
Grant all employees a custom IAM role with an IAM condition limiting access to the VPN subnet and requiring secure devices.
Create a basic access level that includes the corporate VPN IPv4 subnet in ipSubnetworks and a device policy requiring verified, encrypted, company-managed devices, then associate this level with Cloud IAP for the HR service.
Apply an organization policy that blocks external IP access to the HR project and rely on Security Command Center to flag non-compliant devices.
Place the HR project in a VPC Service Controls perimeter and configure ingress and egress rules to allow traffic only from the VPN subnet and trusted devices.
Access Context Manager lets you create reusable access levels that describe contextual requirements-such as source IP ranges and verified device attributes-and then bind those levels to Google Cloud services that support context-aware access, including Cloud IAP. Defining a basic access level that lists the corporate VPN subnet in the "ipSubnetworks" field and a device policy requiring company-managed, encrypted, screen-locked devices meets both constraints. Once this access level is attached to the IAP-protected resource, requests that do not satisfy both conditions are denied. The other options fail because:
Creating or modifying organization policies or enabling Security Command Center does not evaluate user or device context on each request.
VPC Service Controls protect service-to-service data exfiltration, not end-user access, and cannot check device posture.
IAM conditions cannot currently express device compliance attributes, so a custom IAM role with an IP-based condition would not cover the device requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Access Context Manager?
Open an interactive chat with Bash
How does Cloud Identity-Aware Proxy (IAP) work in securing applications?
Open an interactive chat with Bash
What is the BeyondCorp security model?
Open an interactive chat with Bash
What is Access Context Manager, and how does it support security in Google Cloud?
Open an interactive chat with Bash
How does Cloud IAP work with context-aware access levels?
Open an interactive chat with Bash
Why can't VPC Service Controls evaluate device posture for end-user access?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .