GCP Professional Cloud Security Engineer Practice Question
Your security team must prevent accidental or malicious data exfiltration during Vertex AI custom training jobs that read images from Cloud Storage and labels from a BigQuery dataset. CI/CD pipelines in another Google Cloud project within the same organization still need to trigger those training jobs programmatically. What should you implement to block any calls to Vertex AI, Cloud Storage, or BigQuery that come from outside approved projects while permitting the pipelines to continue working?
Enable Private Service Connect on the Vertex AI endpoint and block all other egress routes from the training VPC network.
Attach Cloud NAT to the training VMs and configure egress firewall rules that restrict traffic to Google API IP ranges only.
Encrypt the training data with customer-managed encryption keys (CMEK) and grant the Vertex AI runtime service account the Cloud KMS CryptoKey Decrypter role.
Create a VPC Service Controls service perimeter that covers the Vertex AI API, the Cloud Storage buckets, and the BigQuery dataset, and add the CI/CD pipeline's project to the same perimeter (or link it with a perimeter bridge and an ingress rule for the pipeline's service account).
Configure VPC Service Controls to create a service perimeter that includes the Vertex AI API, the Cloud Storage buckets, and the BigQuery dataset. Add the CI/CD pipeline's project to the same perimeter (or create a service-perimeter bridge between the two projects) and, if needed, define an ingress policy that explicitly allows the pipeline's service account. This setup blocks requests originating from outside the trusted projects, mitigating data-exfiltration risk, while still letting the pipelines invoke Vertex AI. Private Service Connect, CMEK, and egress firewall rules strengthen security in other ways but do not on their own prevent data egress through authorized API calls.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Can you explain what VPC Service Controls are?
Open an interactive chat with Bash
How does a service perimeter or perimeter bridge work in VPC Service Controls?
Open an interactive chat with Bash
What is an ingress policy in VPC Service Controls?
Open an interactive chat with Bash
What is VPC Service Controls and how does it prevent data exfiltration?
Open an interactive chat with Bash
What is a service-perimeter bridge, and when would you use one?
Open an interactive chat with Bash
How do ingress policies in VPC Service Controls work?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .