Google Cloud Professional Cloud Architect — Question 181

Your company has a Google Cloud project that uses BigOuery for data warehousing. The VPN tunnel between the on-premises environment and Google Cloud is configured with Cloud VPN. Your security team wants to avoid data exfiltration by malicious insiders, compromised code, and accidental oversharing. What should you do?

Answer options

• A. Configure Private Service Connect.
• B. Configure VPC Service Controls and configure Private Google Access for on-promises hosts.
• C. Create a service account, grant the BigQuery JobUser role and Storage Object Viewer role to the service account, and remove all other Identity and Access Management (IAM) access from the project.
• D. Configure Private Google Access.

Correct answer: B

Explanation

The correct answer is B, as configuring VPC Service Controls helps establish a security perimeter around your Google Cloud resources, reducing the risk of data exfiltration. Option A does not provide the same level of security for data access; option C limits access too much and may hinder necessary operations, while option D does not offer the robust protection against data leaks that VPC Service Controls does.