Google Cloud Professional Cloud Security Engineer — Question 347

You are implementing communications restrictions for specific services in your Google Cloud organization. Your data analytics team works in a dedicated folder. You need to ensure that access to BigQuery is controlled for that folder and its projects. The data analytics team must be able to control the restrictions only at the folder level. What should you do?

Answer options

• A. Create an organization-level access policy with a service perimeter to restrict BigQuery access. Assign the data analytics team the Access Context Manager Editor role on the access policy to allow the team to configure the access policy.
• B. Create a scoped policy on the folder with a service perimeter to restrict BigQuery access. Assign the data analytics team the Access Context Manager Editor role on the scoped policy to allow the team to configure the scoped policy.
• C. Define a hierarchical firewall policy on the folder to deny BigQuery access. Assign the data analytics team the Compute Organization Firewall Policy Admin role to allow the team to configure rules for the firewall policy.
• D. Enforce the Restrict Resource Service Usage organization policy constraint on the folder to restrict BigQuery access. Assign the data analytics team the Organization Policy Administrator role to allow the team to manage exclusions within the folder.

Correct answer: B

Explanation

The correct answer is B because creating a scoped policy on the folder allows the data analytics team to manage access to BigQuery specifically for that folder and its projects, which is their requirement. Option A is incorrect as it operates at the organization level, which doesn’t meet the folder-specific restriction needed. Option C is wrong because firewall policies do not control access to BigQuery. Option D is incorrect since it involves organization-wide policy constraints rather than folder-specific control.