Google Cloud Professional Cloud Security Engineer — Question 45

You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B. You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?

Answer options

• A. Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
• B. Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
• C. Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
• D. Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.

Correct answer: A

Explanation

The correct answer is A because enabling VPC Service Controls and creating a perimeter ensures that access to the Cloud Storage bucket is limited to the specified projects and prevents data from being accessed or copied externally. Option B does not provide the necessary network restrictions, while options C and D focus on network communication without addressing the specific security requirements for the Cloud Storage bucket.