Google Cloud Professional Cloud Security Engineer — Question 106

You have a highly sensitive BigQuery workload that contains personally identifiable information (PII) that you want to ensure is not accessible from the internet. To prevent data exfiltration, only requests from authorized IP addresses are allowed to query your BigQuery tables.

What should you do?

Answer options

• A. Use service perimeter and create an access level based on the authorized source IP address as the condition.
• B. Use Google Cloud Armor security policies defining an allowlist of authorized IP addresses at the global HTTPS load balancer.
• C. Use the Restrict Resource Service Usage organization policy constraint along with Cloud Data Loss Prevention (DLP).
• D. Use the Restrict allowed Google Cloud APIs and services organization policy constraint along with Cloud Data Loss Prevention (DLP).

Correct answer: A

Explanation

The correct answer is A because using a service perimeter allows you to define a boundary around your sensitive workloads and control access based on IP addresses, which effectively prevents unauthorized access. Option B does not directly protect BigQuery but focuses on HTTP traffic, while options C and D relate to general governance policies that do not specifically address IP-based access restrictions.