GCP Professional Cloud Security Engineer Practice Question

Your organization exposes a machine-learning scoring service through Cloud Functions fronted by API Gateway. Partner companies call the endpoint with API keys that you create in the Google Cloud console. After one partner's key was leaked, the service was abused from hundreds of unknown IP addresses. Security leadership asks you to redesign the solution so that:

Each key can only be used from the partner's corporate network.
A stolen key must not grant access to other Google Cloud APIs.
The SOC must be alerted immediately if any request with an invalid source IP or an unauthorized API call is logged.

Which approach best satisfies these requirements while adding the least operational overhead?

Issue a dedicated API key for each partner, restrict the key to the API Gateway service and to the partner's public IP ranges, and create a log-based metric on Cloud Logging that triggers an alert when requests are rejected due to invalid source IP or unauthorized API usage.
Keep the existing key but place Cloud Armor in front of API Gateway, enable geo-blocking and adaptive rate limiting rules, and forward security findings to the SOC.
Enclose the project in a VPC Service Controls perimeter and add the partner projects as perimeter members; configure egress policies so only API Gateway can be reached from outside the perimeter.
Replace API keys with user-managed OAuth 2.0 tokens issued by Identity-Aware Proxy (IAP) and configure a Cloud Monitoring alert on failed iam.googleapis.com audit log entries.

Report Issue

Answer Description

Issuing a separate API key per partner and applying both types of built-in Google Cloud API key restrictions addresses the blast-radius and monitoring requirements. An IP address restriction ensures that calls accepted by API Gateway originate only from the partner's published egress CIDR ranges, while an API restriction confines the key's usability solely to the specific API Gateway service that fronts the Cloud Functions backend-preventing its use against any other Google Cloud API.

Cloud Logging automatically records every request handled by API Gateway, including those rejected because the source IP is outside the allowed list or because the key attempts to call a non-authorized API. Creating a log-based metric that filters for these failure reasons (for example, status:PERMISSION_DENIED AND (api_key_invalid OR api_key_unauthorized)) and attaching an alerting policy allows the SOC to receive near-real-time notifications of attempted misuse.

The other options fail to meet one or more requirements:

Re-architecting to OAuth tokens (option A) adds significant integration complexity for partners and still requires IP-based controls.
Relying only on Cloud Armor rate limiting and geo-blocking (option C) mitigates volumetric attacks but does not constrain key usage to a single API nor watch for key misuse events.
VPC Service Controls (option D) protect Google-managed data services such as Cloud Storage or BigQuery, not Cloud Functions behind API Gateway, so they cannot enforce the described API key restrictions.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.