Google Cloud Professional Cloud Security Engineer — Question 273

Your security team wants to implement a defense-in-depth approach to protect sensitive data stored in a Cloud Storage bucket. Your team has the following requirements:
✑ The Cloud Storage bucket in Project A can only be readable from Project B.
✑ The Cloud Storage bucket in Project A cannot be accessed from outside the network.
✑ Data in the Cloud Storage bucket cannot be copied to an external Cloud Storage bucket.
What should the security team do?

Answer options

• A. Enable domain restricted sharing in an organization policy, and enable uniform bucket-level access on the Cloud Storage bucket.
• B. Enable VPC Service Controls, create a perimeter around Projects A and B, and include the Cloud Storage API in the Service Perimeter configuration.
• C. Enable Private Access in both Project A and B's networks with strict firewall rules that allow communication between the networks.
• D. Enable VPC Peering between Project A and B's networks with strict firewall rules that allow communication between the networks.

Correct answer: B

Explanation

The correct answer is B because enabling VPC Service Controls creates a security perimeter that restricts access to the Cloud Storage bucket from outside the defined projects while allowing access between them. Option A does not sufficiently limit access from outside the network. Options C and D focus on network communication but do not address the need to prevent external Cloud Storage access effectively.