GCP Professional Cloud Security Engineer Practice Question
Your organization stores PII in BigQuery datasets in project "prod-data". Data analysts need to query these datasets from the BigQuery console only when they are on the corporate network 203.0.113.0/24. A Cloud Run service in a separate project "analytics" must read the datasets but must be blocked from writing the data to Cloud Storage or any other Google-managed service. With the smallest possible trust boundary, how should you configure VPC Service Controls to satisfy these requirements?
Enable Customer-Managed Encryption Keys (CMEK) on the BigQuery datasets and Cloud Run service, then rely on IAM permissions to restrict Cloud Storage writes from the service.
Place only "prod-data" in a service perimeter. Add an ingress rule that allows the Cloud Run service account from project "analytics" to call BigQuery, and leave egress rules open so the service can export results if needed.
Create a single service perimeter that includes both "prod-data" and "analytics". Within that perimeter add: (1) an egress rule that permits only the BigQuery API and denies all other Google APIs, and (2) an access level limited to the 203.0.113.0/24 corporate CIDR, then bind this access level to the perimeter.
Enable Private Google Access on the "prod-data" subnets and create VPC firewall rules that deny egress to the public IP ranges of Cloud Storage. Do not use VPC Service Controls to avoid added complexity.
Putting both projects in a single service perimeter prevents data exfiltration from the protected BigQuery service while still allowing the Cloud Run service to read the data, because calls that stay inside the perimeter are always permitted. An egress rule that limits access to only the BigQuery API ensures that services in the perimeter (including the Cloud Run service) cannot invoke Cloud Storage or any other Google-managed APIs. Creating an access level that lists the on-premises CIDR and attaching it to the perimeter lets analysts use the BigQuery UI only when they are on the corporate network. The other options fail to meet one or more requirements: keeping "analytics" outside the perimeter allows data to leave the boundary, merely enabling Private Google Access does not restrict Google API usage, and using CMEK does nothing to stop exfiltration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Service Controls and why is it important?
Open an interactive chat with Bash
What does an egress rule do in VPC Service Controls?
Open an interactive chat with Bash
What is an access level in VPC Service Controls and how does it work?
Open an interactive chat with Bash
What is a service perimeter in VPC Service Controls?
Open an interactive chat with Bash
What is an access level in VPC Service Controls?
Open an interactive chat with Bash
How do egress rules restrict data exfiltration within a service perimeter?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .