Google Cloud Professional Cloud Architect — Question 150

Your company has a Google Cloud project that uses BigQuery for data warehousing. They have a VPN tunnel between the on-premises environment and Google
Cloud that is configured with Cloud VPN. The security team wants to avoid data exfiltration by malicious insiders, compromised code, and accidental oversharing.
What should they do?

Answer options

• A. Configure Private Google Access for on-premises only.
• B. Perform the following tasks: 1. Create a service account. 2. Give the BigQuery JobUser role and Storage Reader role to the service account. 3. Remove all other IAM access from the project.
• C. Configure VPC Service Controls and configure Private Google Access.
• D. Configure Private Google Access.

Correct answer: C

Explanation

The correct answer is C because configuring VPC Service Controls adds an additional layer of security by creating a security perimeter around Google Cloud resources, which helps prevent data exfiltration. Options A and D do not provide adequate protection against data exfiltration risks, while option B, while a good practice for managing IAM roles, does not address the overarching security needs related to data access and sharing.