Google Cloud Professional Cloud Security Engineer — Question 210

Your organization is implementing a Zero Trust security model and using Chrome Enterprise Premium. The company is interested in governing access to sensitive data stored in Cloud Storage. You need to configure access controls that ensure only authorized users on managed devices can access this data, regardless of their network location. Access should be restricted based on the device's security posture. This requires up-to-date operating system patches and antivirus software. What should you do?

Answer options

• A. Grant access to specific users to the VPC Service Controls to create a perimeter to access the Cloud Storage buckets. Configure Identity-Aware Proxy (IAP) to authenticate users before they can access the data.
• B. Configure IAM conditions based on IP address ranges. Require users to connect through a VPN. Implement endpoint verification software on user devices to check for basic compliance.
• C. Create an access level in Access Context Manager that requires a device policy. Create a Context-Aware Access policy using this access level. Apply the policy to the VPC Service Controls perimeter that includes the Cloud Storage buckets.
• D. Use Cloud Firewall rules to restrict access to the Cloud Storage buckets based on the source IP addresses. Require users to authenticate with a multi-factor authentication method.

Correct answer: C

Explanation

The correct answer is C because it directly utilizes Access Context Manager to enforce device policies, ensuring that only compliant devices can access sensitive data in Cloud Storage. Option A focuses on user authentication without enforcing device compliance, while B requires VPN access, which does not directly address device security posture. Option D limits access based on IP addresses and multi-factor authentication but does not ensure the device meets security requirements.