GCP Professional Cloud Security Engineer Practice Question
Your organization must prevent PHI that resides in a production Cloud Storage bucket from being copied to any Google Cloud resource outside a tightly controlled analytics environment, even if a valid credential is leaked. The analytics workload runs in a separate project. External analysts employed by a partner need to load reference data into a BigQuery dataset in the analytics project from a known static public IPv4 /29 block. Which architecture change most effectively enforces these compliance requirements while allowing the partner upload path to continue working?
Enable Private Service Connect for BigQuery in both projects, disable Cloud NAT, and rely on VPC firewall rules to restrict internet egress.
Place both projects in a single VPC Service Controls perimeter; add an ingress policy that allows BigQuery requests only when they originate from the partner's static IP range, and leave the perimeter's egress policy at its default deny setting.
Harden IAM by removing the Storage Object Admin role from all users outside the analytics project and set the compute.vmExternalIpAccess organization policy constraint to deny.
Merge analytics and production workloads into a Shared VPC host project and apply hierarchical firewall egress rules that allow traffic only to BigQuery API endpoints.
A single VPC Service Controls service perimeter around the production and analytics projects blocks all BigQuery and Cloud Storage calls that attempt to reach projects or services outside the perimeter, mitigating data-exfiltration risk even if credentials are stolen. Because service perimeters deny egress by default, PHI cannot be exported. An ingress policy can be added that references an access level matching the partner's static IP range, permitting just-in-time BigQuery ingestion traffic from that network into the analytics project. Private Service Connect, firewall rules, and Shared VPC egress rules do not enforce data movement controls on Google-managed APIs; IAM and org policy hardening alone cannot stop programmatic exports once a principal has data-access permissions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Service Controls in Google Cloud?
Open an interactive chat with Bash
How does an ingress policy work in VPC Service Controls?
Open an interactive chat with Bash
Why does Private Service Connect not enforce data movement controls effectively in this scenario?
Open an interactive chat with Bash
What are VPC Service Controls?
Open an interactive chat with Bash
How does an ingress policy work in VPC Service Controls?
Open an interactive chat with Bash
Why can't IAM or organization policy constraints alone enforce data exfiltration controls for PHI?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .