Answer-first summary for fast verification
Answer: Create a VPC Service Controls perimeter containing both protects and BigQuery as a restricted API. Add the External Team users to the perimeter’s Access Level
## Explanation VPC Service Controls provides an additional layer of security beyond IAM by creating security perimeters around Google Cloud resources. Here's why option C is correct: - **VPC Service Controls perimeter**: Creates a security boundary around both projects - **BigQuery as restricted API**: Allows access to BigQuery services within the perimeter - **External Team users added to perimeter's Access Level**: This ensures the External Team can only access services within the perimeter (BigQuery) and not Cloud Storage This solution achieves the requirement: - **Development Team**: Can access both Cloud Storage and BigQuery (they have project viewer role and are not restricted by the perimeter) - **External Team**: Can only access BigQuery (restricted by the VPC Service Controls perimeter from accessing Cloud Storage) Other options are incorrect: - **Option A**: Just removing IAM permissions doesn't provide the same level of security boundary - **Option B**: VPC firewall rules control network traffic, not API-level access to specific services - **Option D**: This would restrict Development Team from accessing Cloud Storage, which contradicts the requirement
Author: LeetQuiz .
Ultimate access to all questions.
NO.1 The Development and External teams nave the project viewer Identity and Access Management (IAM) role m a folder named Visualization. You want the Development Team to be able to read data from both Cloud Storage and BigQuery, but the External Team should only be able to read data from BigQuery. What should you do?
[Image blocked: Diagram showing on-premises Development Team and External Team connecting to Google Cloud Platform projects with Cloud Storage and BigQuery resources]
A
Remove Cloud Storage IAM permissions to the External Team on the acme-raw-data project
B
Create Virtual Private Cloud (VPC) firewall rules on the acme-raw-data protect that deny all Ingress traffic from the External Team CIDR range
C
Create a VPC Service Controls perimeter containing both protects and BigQuery as a restricted API. Add the External Team users to the perimeter’s Access Level
D
Create a VPC Service Controls perimeter containing both protects and Cloud Storage as a restricted API. Add the Development Team users to the perimeter's Access Level
No comments yet.