Google Professional Data Engineer
NO.1 The Development and External teams nave the project viewer Identity and Access Management (IAM) role m a folder named Visualization. You want the Development Team to be able to read data from both Cloud Storage and BigQuery, but the External Team should only be able to read data from BigQuery. What should you do?
[Image blocked: Diagram showing on-premises Development Team and External Team connecting to Google Cloud Platform projects with Cloud Storage and BigQuery resources]
Real Exam
Community
LLeetQuiz
Explanation:
Explanation
VPC Service Controls provides an additional layer of security beyond IAM by creating security perimeters around Google Cloud resources. Here's why option C is correct:
- VPC Service Controls perimeter: Creates a security boundary around both projects
- BigQuery as restricted API: Allows access to BigQuery services within the perimeter
- External Team users added to perimeter's Access Level: This ensures the External Team can only access services within the perimeter (BigQuery) and not Cloud Storage
This solution achieves the requirement:
- Development Team: Can access both Cloud Storage and BigQuery (they have project viewer role and are not restricted by the perimeter)
- External Team: Can only access BigQuery (restricted by the VPC Service Controls perimeter from accessing Cloud Storage)
Other options are incorrect:
- Option A: Just removing IAM permissions doesn't provide the same level of security boundary
- Option B: VPC firewall rules control network traffic, not API-level access to specific services
- Option D: This would restrict Development Team from accessing Cloud Storage, which contradicts the requirement