Google Professional Data Engineer
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
NO.25 Your organization has two Google Cloud projects, project A and project B. In project A, you have a Pub/Sub topic that receives data from confidential sources. Only the resources in project A should be able to access the data in that topic. You want to ensure that project B and any future project cannot access data in the project A topic. What should you do?
Real Exam
Community
LLeetQuiz
A
Configure VPC Service Controls in the organization with a perimeter around the VPC of project A.
B
Add firewall rules in project A so only traffic from the VPC in project A is permitted.
C
Configure VPC Service Controls in the organization with a perimeter around project A.
D
Use Identity and Access Management conditions to ensure that only users and service accounts in project A can access resources in project.
Explanation:
Explanation:
Option D is the correct solution using IAM conditions:
Why IAM Conditions are the right approach:
- Resource-level access control - IAM directly controls access to Pub/Sub topics
- Project-based restrictions - Can specify that only resources from project A can access
- Future-proof - Automatically prevents any new projects from accessing
- Fine-grained control - Can set conditions based on project, service account, or other attributes
Why other options don't work:
- Option A & C: VPC Service Controls don't apply to Pub/Sub as it's not VPC-bound
- Option B: Firewall rules control network traffic, not Pub/Sub topic access
IAM Implementation:
- Use IAM conditions with
resourcemanager.projects.idattribute - Restrict access to only service accounts/users from project A
- This provides the most direct and effective access control for Pub/Sub resources
Comments
Loading comments...