Google Cloud Professional Cloud Security Engineer — Question 313

Your organization has two VPC Service Controls service perimeters, Perimeter-A and Perimeter-B, in Google Cloud. You want to allow data to be copied from a Cloud Storage bucket in Perimeter-A to another Cloud Storage bucket in Perimeter-B. You must minimize exfiltration risk, only allow required connections, and follow the principle of least privilege. What should you do?

Answer options

• A. Configure a perimeter bridge between Perimeter-A and Perimeter-B, and specify the Cloud Storage buckets as the resources involved.
• B. Configure a perimeter bridge between the projects hosting the Cloud Storage buckets in Perimeter-A and Perimeter-B.
• C. Configure an egress rule for the Cloud Storage bucket in Perimeter-A and a corresponding ingress rule in Perimeter-B.
• D. Configure a bidirectional egress/ingress rule for the Cloud Storage buckets in Perimeter-A and Perimeter-B.

Correct answer: C

Explanation

Option C is correct because configuring an egress rule in Perimeter-A and a corresponding ingress rule in Perimeter-B allows controlled access for data transfer while minimizing risk. Options A and B involve creating perimeter bridges, which may not adhere to the principle of least privilege and could increase exposure. Option D suggests a bidirectional rule, which also increases risk compared to the specific egress and ingress rules of Option C.