Answer-first summary for fast verification
Answer: • Edit the organization-level access policy and add the new folder under “Select resources to include in the policy.” • Specify the two new projects as “Resources to protect” in the service perimeter configuration. • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage. • Edit the existing access level to add a “Geographic locations” condition set to “US.”
Option C is the correct answer because it fully addresses all requirements: (1) It edits the existing organization-level access policy to include the new folder, ensuring centralized management while applying stricter controls to the PHI projects. (2) It specifies the two new projects as 'Resources to protect' in the service perimeter, isolating them. (3) It restricts services to 'all services' but limits VPC accessible services to only BigQuery and Cloud Storage, preventing unauthorized API access. (4) It adds a 'Geographic locations' condition set to 'US' to the existing access level, ensuring only US-based personnel can access the projects. Option A is incorrect because it creates a new scoped policy but fails to enforce the US geographic restriction. Option B uses Identity Aware Proxy and organization policies, which do not provide the same level of isolation as VPC Service Controls and may not enforce geographic restrictions effectively. Option D relies on network-level controls (VPN/firewall) which do not inherently restrict API access or enforce geographic boundaries at the identity level, making it less suitable for the stated requirements.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You are managing a Google Cloud organization with a single Access Context Manager policy for multiple projects across different regions. A new folder will contain two projects handling protected health information (PHI) for US customers. These projects require separate management and stricter security controls. You need to configure VPC Service Controls for this new folder to enforce that only personnel located in the US can access the projects and that Google Cloud API access is restricted exclusively to BigQuery and Cloud Storage. What is the required configuration?
A
• Create a scoped access policy, add the new folder under “Select resources to include in the policy,” and assign an administrator under “Manage principals.” • For the service perimeter, specify the two new projects as “Resources to protect” in the service perimeter configuration. • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage under “Selected services.”
B
• Enable Identity Aware Proxy in the new projects. • Create an Access Context Manager access level with an “IP Subnetworks” attribute condition set to the US-based corporate IP range. • Enable the “Restrict Resource Service Usage” organization policy at the new folder level with an “Allow” policy type and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”
C
• Edit the organization-level access policy and add the new folder under “Select resources to include in the policy.” • Specify the two new projects as “Resources to protect” in the service perimeter configuration. • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage. • Edit the existing access level to add a “Geographic locations” condition set to “US.”
D
• Configure a Cloud Interconnect connection or a Virtual Private Network (VPN) between the on-premises environment and the Google Cloud organization. • Configure the VPC firewall policies within the new projects to only allow connections from the on-premises IP address range. • Enable the Restrict Resource Service Usage organization policy on the new folder with an “Allow” policy type, and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”