GCP Professional Cloud Security Engineer Practice Question

Your organization hosts all finance workloads inside a dedicated Google Cloud folder. Compliance now requires that any request to Cloud Storage APIs for projects in this folder be permitted only when the caller is either (a) coming from one of your on-premises NAT IP address ranges or (b) using a company-managed, encrypted device that meets Google endpoint-verification standards. You must enforce this control centrally without changing individual bucket IAM policies and ensure that any future projects created in the finance folder automatically inherit the restriction. What should you do?

Attach a Cloud Armor security policy to every finance bucket's JSON API endpoint, restricting traffic to the trusted IP ranges and permitting requests only from devices presenting valid endpoint-verification headers.
Create an organization-level Access Policy. Define a custom access level that allows either the trusted on-premises CIDR ranges or compliant, company-managed devices. Create a VPC Service Controls perimeter that includes the finance folder and add the access level to the perimeter's ingress rules.
Add an IAM conditional binding at the organization level that grants storage.objectViewer to all finance users only when request.ip and request.device attributes match the corporate policy.
Configure VPC firewall rules in each finance project that only allow egress from approved corporate IP ranges and require mutual TLS with client certificates from managed devices.

Report Issue

Answer Description

Create an organization-wide access policy in Access Context Manager and define a custom access level that allows requests originating either from the trusted on-premises CIDR ranges or from devices that satisfy the required endpoint-verification attributes. Then create a VPC Service Controls service perimeter that protects Cloud Storage, add the finance folder to the perimeter so all present and future projects are included, and attach the access level to the perimeter's ingress rules. Any request coming from outside the perimeter must now meet the specified network or device attributes before it is allowed.

VPC firewall rules apply to traffic to or from VM instances and cannot validate device posture or protect Google-managed service APIs. Cloud Armor secures HTTP(S) traffic through external load balancers and cannot filter direct Cloud Storage JSON or XML API calls, nor can it evaluate device compliance. IAM conditional bindings do inherit to child projects, but IAM Conditions cannot reference device compliance attributes and would require role-specific bindings that do not universally cover all Cloud Storage access paths, making them insufficient for this requirement.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.