GCP Professional Cloud Security Engineer Practice Question

Your security team is rolling out context-aware access for an internal dashboard that is protected by Identity-Aware Proxy (IAP). Access must be granted only when all of the following conditions are simultaneously true:

The request originates from the corporate IPv4/IPv6 ranges 203.0.113.0/24 and 2001:db8:cafe::/48.
The user is on a company-managed device that is encrypted, has a screen-lock, and is running an up-to-date operating system.
The request is sent Monday through Friday between 08:00 and 18:00 in the Europe/Paris time zone.

You want a solution that minimises future maintenance while keeping the configuration readable for auditors. How should you implement the access level that will be added to the IAP-secured resource policy?

Create a basic access level for the IP ranges and device policy, then configure an IAM-based conditional role binding on the IAP-secured backend to refuse access outside business hours.
Create two basic access levels-one specifying the corporate IP subnets and another specifying the device policy-and list them both in the resource's required access levels; ignore the time window because basic levels do not support it.
Create a basic access level for the IP ranges, a second basic access level for the device policy, and a third basic access level for the time window; then use required_access_levels in each level to chain all three together.
Create one custom (advanced) access level that uses a single Common Expression Language (CEL) Boolean expression to combine the IP subnet match, the required device.* attributes, and a time-of-day check.

Report Issue

Answer Description

The requirement can be met with a single custom (advanced) access level in Access Context Manager. A custom level lets you express all three access constraints in one CEL boolean expression:

request.time.getHours("Europe/Paris") >= 8 &&
request.time.getHours("Europe/Paris") < 18 &&
(origin.ip in ["203.0.113.0/24", "2001:db8:cafe::/48"]) &&
(device.encrypted && device.screenLock &&
 device.osType in ["DESKTOP_MAC", "DESKTOP_WINDOWS", "DESKTOP_LINUX", "CHROME_OS"] &&
 device.osVersion.is_at_least("latest"))

Because the custom level is evaluated as a single object, there is no need to create or chain multiple basic levels. The other options either lose the time-of-day condition (basic levels cannot express it), separate the logic into multiple levels (harder to audit and maintain), or attempt to enforce device attributes in IAP rather than Access Context Manager, which is unsupported.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.