Google Professional Cloud Security Engineer
Get started today
Ultimate access to all questions.
Comments
Loading comments...
Ultimate access to all questions.
You are managing a Google Cloud organization with a single Access Context Manager policy for multiple projects across different regions. A new folder will contain two projects handling protected health information (PHI) for US customers. These projects require separate management and stricter security controls. You need to configure VPC Service Controls for this new folder to enforce that only personnel located in the US can access the projects and that Google Cloud API access is restricted exclusively to BigQuery and Cloud Storage. What is the required configuration?
A
• Create a scoped access policy, add the new folder under “Select resources to include in the policy,” and assign an administrator under “Manage principals.” • For the service perimeter, specify the two new projects as “Resources to protect” in the service perimeter configuration. • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage under “Selected services.”
B
• Enable Identity Aware Proxy in the new projects. • Create an Access Context Manager access level with an “IP Subnetworks” attribute condition set to the US-based corporate IP range. • Enable the “Restrict Resource Service Usage” organization policy at the new folder level with an “Allow” policy type and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”
C
• Edit the organization-level access policy and add the new folder under “Select resources to include in the policy.” • Specify the two new projects as “Resources to protect” in the service perimeter configuration. • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage. • Edit the existing access level to add a “Geographic locations” condition set to “US.”
D
• Configure a Cloud Interconnect connection or a Virtual Private Network (VPN) between the on-premises environment and the Google Cloud organization. • Configure the VPC firewall policies within the new projects to only allow connections from the on-premises IP address range. • Enable the Restrict Resource Service Usage organization policy on the new folder with an “Allow” policy type, and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”