Google Professional Cloud Network Engineer

Get started today

Ultimate access to all questions.

How can you restrict access to a Cloud Storage bucket containing sensitive data in Google Cloud project XYZ, so that only instances within VPCs belonging to project XYZ can access the bucket's contents?

Exam-Like

Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.

Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.

Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.

Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.

Explanation:

The correct answer is B. VPC Service Controls create a service perimeter around project XYZ, restricting access to the Cloud Storage bucket (via storage.googleapis.com) only to resources within the perimeter. This ensures that only instances in VPCs under project XYZ can access the data, even if external entities have valid credentials.

A (Private Google Access): Enables VMs without external IPs to access Google services via private IPs but does not restrict access based on VPCs/projects.
C (ProjectPrivate ACL): Relies on IAM permissions, which are identity-based, not network-based. It cannot enforce restrictions based on VPCs.
D (Private Service Connect): Used to access services via private endpoints but is not designed to restrict Cloud Storage access to specific VPCs.

VPC Service Controls (B) enforce network-level isolation, making it the correct solution.

Powered ByGPT-5.2

Comments

Loading comments...