Google Cloud Professional Cloud Architect — Question 117

Your company has sensitive data in Cloud Storage buckets. Data analysts have Identity Access Management (IAM) permissions to read the buckets. You want to prevent data analysts from retrieving the data in the buckets from outside the office network. What should you do?

Answer options

• A. 1. Create a VPC Service Controls perimeter that includes the projects with the buckets. 2. Create an access level with the CIDR of the office network.
• B. 1. Create a firewall rule for all instances in the Virtual Private Cloud (VPC) network for source range. 2. Use the Classless Inter-domain Routing (CIDR) of the office network.
• C. 1. Create a Cloud Function to remove IAM permissions from the buckets, and another Cloud Function to add IAM permissions to the buckets. 2. Schedule the Cloud Functions with Cloud Scheduler to add permissions at the start of business and remove permissions at the end of business.
• D. 1. Create a Cloud VPN to the office network. 2. Configure Private Google Access for on-premises hosts.

Correct answer: A

Explanation

The correct answer is A, as VPC Service Controls can create a security perimeter around your Cloud Storage buckets, ensuring that only requests from specified IP ranges, like your office network, can access the data. Option B does not directly control access to Cloud Storage, while C introduces unnecessary complexity with automated permission changes, and D focuses on VPN connectivity rather than restricting access to the buckets based on network location.