Google Cloud Professional Cloud Security Engineer — Question 215

Your company’s storage team manages all product images within a specific Google Cloud project. To maintain control, you must isolate access to Cloud Storage for this project, allowing the storage team to manage restrictions at the project level. They must be restricted to using corporate computers. What should you do?

Answer options

• A. Use Identity and Access Management (IAM) roles at the project level within the storage team’s project. Grant the storage team granular permissions on the project’s Cloud Storage resources.
• B. Employ organization-level firewall rules to block all traffic to Cloud Storage. Create exceptions for specific service accounts used by the storage team within their project.
• C. Use Context-Aware Access Create an access level that defines the required context. Apply it as an organization policy specifically at the project level, restricting access to Cloud Storage based on that context.
• D. Implement VPC Service Controls by establishing an organization-wide service perimeter with all projects. Configure ingress and egress rules to restrict access to Cloud Storage based on IP address ranges.

Correct answer: C

Explanation

The correct answer, C, is appropriate as Context-Aware Access allows you to enforce access based on specific conditions, such as requiring access only from corporate devices. Option A does not enforce device restrictions, while B relies on firewall rules which are less effective for granular access control. Option D creates a broader service perimeter that might not align with the specific project-level access needs.