Exam Professional Cloud Security Engineer topic 1 question 220 discussion

The answer is Answer A. Why? Because Project B does not belong in a service perimeter itself. You cannot create a perimeter bridge without being part of a service perimeter. Answer is A. https://cloud.google.com/vpc-service-controls/docs/share-across-perimeters

I spent some time going back and forth on this question. I believe the Answer is A. C can't be right because project B isn't part of another perimeter.

Principle of Least Privilege: By configuring an ingress policy, you can precisely define which specific service account from Project B is allowed to access the Pub/Sub topic in Project A. This approach ensures that only the necessary access is granted, aligning with the principle of least privilege.

Should be (A) according https://cloud.google.com/vpc-service-controls/docs/share-across-perimeters .A perimeter bridge works between projects in different service perimeters. So Project B is not in a perimeter, so bridge wil not work here.

https://cloud.google.com/vpc-service-controls/docs/use-access-levels#create_an_access_level

The correct answer is C. You should create a perimeter bridge between Project A and Project B to allow the required communication between both projects. VPC Service Controls (SC) help to mitigate data exfiltration risks. They provide a security perimeter around Google Cloud resources to constrain data within a VPC and help protect it from being leaked. In this case, a resource in Project B needs to access a Pub/Sub topic in Project A, but Project A is within a VPC SC perimeter that’s blocking API access. A perimeter bridge can be created to allow communication between the two projects. This solution adheres to the principle of least privilege because it only allows the specific communication required, rather than changing the perimeter settings or access levels which could potentially allow more access than necessary. the principle of least privilege is about giving a user or service account only those privileges which are essential to perform its intended function. Options A and B could potentially grant more access than necessary, which is why they are not the best solutions. Option C, creating a perimeter bridge, allows just the specific communication required, adhering to the principle of least privilege.

Answer B: https://cloud.google.com/vpc-service-controls/docs/use-access-levels#create_an_access_level To grant controlled access to protected Google Cloud resources in service perimeters from outside a perimeter, use access levels. The following examples explain how to create an access level using different conditions: IP address User and service accounts (principals) Device policy

By creating an access level, you can specify precisely who in Project B should have access to subscribe to the Pub/Sub topic in Project A, ensuring that access is granted to only the necessary individuals or service accounts. This approach aligns more closely with the principle of least privilege.

A. Can be correct but if we configure ingress policy all projects can access or ping this project so too much risk. C. perimeter can be created between two perimeters, but bridge can only be created between two perimeters they haven't mentioned that project b is in perimeter. we have to assume it.

Ingress: Refers to any access by an API client from outside the service perimeter to resources within a service perimeter. Example: A Cloud Storage client outside a service perimeter calling Cloud Storage read, write, or copy operations on a Cloud Storage resource within the perimeter.

Answer is C. https://cloud.google.com/vpc-service-controls/docs/share-across-perimeters

A - is correct Cant be C, bridge is between pramiter, but project B it is not in any pramiter