Google Cloud Professional Cloud Security Engineer — Question 302

You need to enforce a security policy in your Google Cloud organization that prevents users from exposing objects in their buckets externally. There are currently no buckets in your organization. Which solution should you implement proactively to achieve this goal with the least operational overhead?

Answer options

• A. Create an hourly cron job to run a Cloud Function that finds public buckets and makes them private.
• B. Enable the constraints/storage.publicAccessPrevention constraint at the organization level.
• C. Enable the constraints/storage.uniformBucketLevelAccess constraint at the organization level.
• D. Create a VPC Service Controls perimeter that protects the storage.googleapis.com service in your projects that contains buckets. Add any new project that contains a bucket to the perimeter.

Correct answer: B

Explanation

The correct answer is B, as enabling the constraints/storage.publicAccessPrevention constraint at the organization level directly prevents any future buckets from being publicly accessible without requiring ongoing maintenance. Option A involves constant management with a cron job, which increases operational overhead. Options C and D address different aspects of access management but do not specifically prevent public access effectively like option B does.