
Answer-first summary for fast verification
Answer: Create a scoped policy on the folder with a service perimeter to restrict BigQuery access. Assign the data analytics team the Access Context Manager Editor role on the scoped policy to allow the team to configure the scoped policy.
Option B is the correct choice because it uses a scoped policy with a service perimeter, which allows applying VPC Service Controls specifically to the folder level as required. This approach restricts BigQuery access for the folder and its projects while enabling the data analytics team to manage these restrictions exclusively at the folder level through the Access Context Manager Editor role. Option A is incorrect because organization-level access policies apply restrictions across the entire organization, not just the specific folder. Option C is unsuitable as hierarchical firewall policies control network traffic, not service-level access like BigQuery. Option D is incorrect because the Restrict Resource Service Usage organization policy constraint manages which services can be enabled, not access restrictions to already enabled services like BigQuery. The community discussion strongly supports B with 100% consensus and detailed reasoning about scoped policies and service perimeters being the appropriate mechanism for folder-level service access control.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are implementing service communication restrictions in your Google Cloud organization. Your data analytics team operates within a dedicated folder. You need to ensure that access to BigQuery is restricted for that folder and its projects. The data analytics team must be able to manage these restrictions exclusively at the folder level. What should you do?
A
Create an organization-level access policy with a service perimeter to restrict BigQuery access. Assign the data analytics team the Access Context Manager Editor role on the access policy to allow the team to configure the access policy.
B
Create a scoped policy on the folder with a service perimeter to restrict BigQuery access. Assign the data analytics team the Access Context Manager Editor role on the scoped policy to allow the team to configure the scoped policy.
C
Define a hierarchical firewall policy on the folder to deny BigQuery access. Assign the data analytics team the Compute Organization Firewall Policy Admin role to allow the team to configure rules for the firewall policy.
D
Enforce the Restrict Resource Service Usage organization policy constraint on the folder to restrict BigQuery access. Assign the data analytics team the Organization Policy Administrator role to allow the team to manage exclusions within the folder.
No comments yet.