Answer-first summary for fast verification
Answer: Use service perimeter and create an access level based on the authorized source IP address as the condition.
Option A is the optimal solution because it uses VPC Service Controls with a service perimeter and IP-based access levels to create a security boundary that prevents data exfiltration by restricting BigQuery access to authorized IP addresses only. This approach provides strong network-level isolation and prevents internet access to sensitive PII data. Option B (Google Cloud Armor) is designed for load balancer protection and doesn't directly secure BigQuery data access. Options C and D use organization policies with DLP, which focus on data classification and API restrictions but don't provide the same level of IP-based access control for preventing unauthorized internet access to BigQuery tables. The community discussion strongly favors option A with 100% consensus and multiple upvotes, highlighting its effectiveness in creating boundaries that control access to Google Cloud resources.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have a BigQuery workload containing sensitive personally identifiable information (PII) that must not be accessible from the internet. To prevent data exfiltration, you need to ensure only queries from authorized IP addresses can access your BigQuery tables.
What should you do?
A
Use service perimeter and create an access level based on the authorized source IP address as the condition.
B
Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.
C
Use the Restrict Resource Service Usage organization policy constraint along with Cloud Data Loss Prevention (DLP).
D
Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).
No comments yet.