Answer-first summary for fast verification
Answer: Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
The correct answer is C because it uses VPC Service Controls (VPC-SC) to create a single service perimeter that prevents data exfiltration while allowing communication between projects within the perimeter. VPC-SC is specifically designed to mitigate risks from malicious insiders or compromised code by restricting data access and egress. Option A relies solely on firewall rules, which are insufficient for preventing data exfiltration as they control network traffic but not data access. Option B uses Access Context Manager for ingress control but is not optimized for exfiltration prevention. Option D creates multiple perimeters (dev, staging, prod), which would restrict inter-project communication unless bridges are configured, adding complexity without necessity. The community discussion highlights VPC-SC's effectiveness, with comments noting its alignment with Google's documentation and the automation via Terraform ensuring scalability for new projects.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
As a security administrator, you need to prevent data exfiltration from multiple GCP projects under an "implementation" folder (used for dev, staging, and production workloads) without restricting communication between these projects. What is the recommended approach?
A
Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.
B
Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.
C
Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
D
Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
No comments yet.