Google Cloud Professional Cloud Security Engineer — Question 168

You manage a Google Cloud organization with many projects located in various regions around the world. The projects are protected by the same Access Context Manager access policy. You created a new folder that will host two projects that process protected health information (PHI) for US-based customers. The two projects will be separately managed and require stricter protections. You are setting up the VPC Service Controls configuration for the new folder. You must ensure that only US-based personnel can access these projects and restrict Google Cloud API access to only BigQuery and Cloud Storage within these projects. What should you do?

Answer options

• A. • Create a scoped access policy, add the new folder under “Select resources to include in the policy,” and assign an administrator under “Manage principals.” • For the service perimeter, specify the two new projects as “Resources to protect” in the service perimeter configuration. • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage under “Selected services.”
• B. • Enable Identity Aware Proxy in the new projects. • Create an Access Context Manager access level with an “IP Subnetworks” attribute condition set to the US-based corporate IP range. • Enable the “Restrict Resource Service Usage” organization policy at the new folder level with an “Allow” policy type and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”
• C. • Edit the organization-level access policy and add the new folder under “Select resources to include in the policy.” • Specify the two new projects as “Resources to protect” in the service perimeter configuration. • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage. • Edit the existing access level to add a “Geographic locations” condition set to “US.”
• D. • Configure a Cloud Interconnect connection or a Virtual Private Network (VPN) between the on-premises environment and the Google Cloud organization. • Configure the VPC firewall policies within the new projects to only allow connections from the on-premises IP address range. • Enable the Restrict Resource Service Usage organization policy on the new folder with an “Allow” policy type, and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”

Correct answer: C

Explanation

The correct answer is C because it effectively configures the service perimeter to protect the projects while ensuring that only US personnel can access them, through the addition of a geographic location condition. Options A and D fail to implement the necessary access restrictions based on geographic locations, while B does not properly configure the service perimeter settings needed for the specific project requirements.