GCP Professional Cloud Security Engineer Practice Question

Your organization has two Google Cloud projects. Project "prod-data" hosts BigQuery datasets containing protected health information (PHI). Project "analytics-tools" runs scheduled Dataflow jobs that must query those datasets. Security has issued these directives:

Prevent any PHI from being copied from BigQuery to the public internet or to projects outside the security boundary, even if IAM is misconfigured or credentials are exposed.
Permit Dataflow jobs to read the datasets only when the job workers originate from the corporate HQ's on-premises CIDR 203.0.113.0/24, reached over Cloud Interconnect.
Continue to allow "prod-data" to write stackdriver logging and monitoring data to their corresponding Google Cloud services without restriction.

What is the most effective and operationally efficient design to meet these requirements?

Remove all external IP addresses from resources in prod-data, apply an egress-deny VPC firewall rule, and set up VPC Network Peering with analytics-tools to permit private BigQuery access.
Add an IAM Condition on the BigQuery Data Viewer role limiting access to requests from 203.0.113.0/24 and configure Cloud Armor to block outbound traffic from prod-data to the public internet.
Create a single VPC Service Controls service perimeter that includes both projects, add BigQuery to the protected services list, define an access level restricted to 203.0.113.0/24 and attach it to the perimeter, and leave Cloud Logging and Monitoring to use their default perimeter-bridged access.
Enable customer-managed encryption keys (CMEK) for all BigQuery datasets in prod-data and grant the analytics-tools service accounts IAM BigQuery Data Viewer roles; rely on CMEK to prevent data exfiltration.

Report Issue

Answer Description

VPC Service Controls create a service perimeter around Google-managed APIs, preventing data exfiltration to destinations outside the perimeter even when IAM is mis-configured or credentials are leaked. Placing both prod-data and analytics-tools inside the same perimeter keeps BigQuery calls between the projects internal to Google's network. Adding an access level that matches traffic sourced from the corporate on-premises CIDR to the perimeter's access policy ensures that only Dataflow workers reached through the Interconnect link can invoke BigQuery APIs. Cloud Logging and Cloud Monitoring are on the list of Google services that remain accessible by default from within a perimeter, so no additional configuration is needed. The other options either do not stop API-level exfiltration (CMEK, firewall only), misuse unrelated services (Cloud Armor), or add unnecessary operational complexity (multiple perimeters with ingress rules) without improving security.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.