GCP Professional Cloud Security Engineer Practice Question

Your security team must allow the external vendor support group ([email protected] Google Group) to query a sensitive BigQuery dataset in the prod-analytics project, but only when requests come from the vendor's on-premises public CIDR range 203.0.113.0/24 and only on weekdays between 09:00 and 17:00 (America/New_York). The organization wants to avoid adding new proxy or networking components and must follow the principle of least privilege. Which approach best meets these requirements?

Create a VPC Service Controls perimeter around the prod-analytics project and allow ingress only from 203.0.113.0/24 during business hours.
Define a custom BigQuery Viewer role, assign it to the [email protected] group, and require users to access the dataset through Cloud Identity-Aware Proxy restricted to the vendor's IP range and schedule.
Configure an Access Context Manager service perimeter that specifies the vendor's IP range and business-hours access level, then grant the [email protected] group the BigQuery Data Viewer role at the project level without additional conditions.
Add an IAM policy binding on the dataset that grants the BigQuery Data Viewer role to the [email protected] group with a condition limiting access to requests from 203.0.113.0/24 and to times between 09:00 and 17:00 on weekdays.

Report Issue

Answer Description

Google Cloud IAM Conditions let you attach an attribute-based Boolean expression to an individual role binding. The condition language supports both request.ip and request.time attributes, so you can restrict the BigQuery Data Viewer role to apply only when the caller's source IP is within 203.0.113.0/24 and the access time falls between 09:00 and 17:00 on weekdays. This enforces the required constraints while granting the minimal BigQuery Data Viewer permissions to the vendor group and does not require any additional infrastructure.

VPC Service Controls service perimeters restrict data egress but cannot enforce time-of-day constraints. Identity-Aware Proxy governs web access to applications, not direct BigQuery API calls, and a custom role without conditions would lack the necessary contextual controls. Access Context Manager service perimeters also cannot grant BigQuery IAM roles; they only define network and device restrictions for requests that are already authorized by IAM, so they would still need an IAM binding with the proper condition. Therefore, an IAM conditional role binding is the correct and most straightforward solution.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.