Google Cloud Professional Cloud Security Engineer — Question 143

You manage one of your organization's Google Cloud projects (Project A). A VPC Service Control (SC) perimeter is blocking API access requests to this project, including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project. Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least privilege.

What should you do?

Answer options

• A. Configure an ingress policy for the perimeter in Project A, and allow access for the service account in Project B to collect messages.
• B. Create an access level that allows a developer in Project B to subscribe to the Pub/Sub topic that is located in Project A.
• C. Create a perimeter bridge between Project A and Project B to allow the required communication between both projects.
• D. Remove the Pub/Sub API from the list of restricted services in the perimeter configuration for Project A.

Correct answer: A

Explanation

The correct answer is A because configuring an ingress policy allows you to specifically grant access to the service account from Project B while maintaining the restrictions of the VPC SC perimeter. Option B is incorrect because it does not directly address the restrictions imposed by the perimeter. Option C is not valid as perimeter bridges are intended for different use cases. Option D would reduce security by removing restrictions on the Pub/Sub API, which is not in line with the principle of least privilege.