GCP Professional Cloud Security Engineer Practice Question
Your security team has enclosed two sensitive finance projects in a VPC Service Controls perimeter called finance-perimeter. Internal staff already access them through an existing high-trust access level. You must now let external consultants, who authenticate as members of the group [email protected], deploy and manage Cloud Run in those projects only between 09:00 and 17:00 UTC. Consultants must remain blocked from BigQuery, Cloud Storage, and every other Google Cloud API inside the perimeter. What should you do?
Add the [email protected] group as members of finance-perimeter and create a bridge perimeter that links a new consultants project, relying on IAM roles to limit them to Cloud Run.
Define a custom access level that requires membership in [email protected] and a request.time between 09:00 and 17:00 UTC, then add an ingress rule to finance-perimeter that allows only run.googleapis.com when this access level is matched.
Reuse the existing high-trust access level and add an egress rule on finance-perimeter that permits run.googleapis.com; leave other services unmodified.
Grant the consultants group the Cloud Run Admin role on the finance projects without changing the service perimeter, because IAM permissions override VPC Service Controls.
Create a dedicated, least-privilege access path for the consultants. A custom Access Context Manager access level can restrict requests to principals in the [email protected] group and check request.time to enforce the 09:00-17:00 UTC window. Attaching that access level to an ingress policy on finance-perimeter that lists only run.googleapis.com means that matching requests from outside the perimeter are forwarded solely to the Cloud Run Admin API, while all other Google APIs (such as BigQuery and Cloud Storage) remain protected by the perimeter's default deny behavior. Adding the group as perimeter members, using a bridge perimeter, changing egress rules, or relying on IAM alone would either over-grant access or fail to bypass the perimeter.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Service Controls and how does it secure sensitive data?
Open an interactive chat with Bash
How does Access Context Manager work to create access levels?
Open an interactive chat with Bash
Why is an ingress rule necessary within a VPC Service Controls perimeter?
Open an interactive chat with Bash
What is VPC Service Controls in Google Cloud?
Open an interactive chat with Bash
How does Access Context Manager work to enforce security in Google Cloud?
Open an interactive chat with Bash
What is the difference between ingress rules and egress rules in VPC Service Controls?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .