Exam Professional Data Engineer topic 1 question 226 discussion

And I would agree with GPT. The question is about that who can do what within GCP environment. It's all about permissions and access management, not about networking.

The best solution to prevent project B and any future projects from accessing data in project A's Pub/Sub topic is B. Configure VPC Service Controls in the organization with a perimeter around project A.

B is correct Raaad is always right

Setting up a perimeter around project A is future proof, the question asks to "ensure that project B and any future project cannot access data in the project A topic", IAM is not future proof. Reference: https://cloud.google.com/vpc-service-controls/docs/overview#isolate p.s: VPC Service Controls is not the same thing as VPC, instead its a security layer on top of a VPC and it should be used together with IAM, not one or the other (https://cloud.google.com/vpc-service-controls/docs/overview#how-vpc-service-controls-works)

C. Use Identity and Access Management conditions to ensure that only users and service accounts in project A. can access resources in project A. [SIMPLE!!!]

I'll go with "B. Configure VPC Service Controls in the organization with a perimeter around project A."

GPT: C. Use Identity and Access Management conditions to ensure that only users and service accounts in project A can access resources in project A. Analysis: This is the most appropriate option. IAM allows you to define who (which users or service accounts) has what access to your GCP resources. By setting IAM policies with conditions specific to Project A, you can ensure that only designated entities within Project A have access to its resources, including the Pub/Sub topic. D. Configure VPC Service Controls in the organization with a perimeter around the VPC of project A.

Option B: -It allows us to create a secure boundary around all resources in Project A, including the Pub/Sub topic. - It prevents data exfiltration to other projects and ensures that only resources within the perimeter (Project A) can access the sensitive data. - VPC Service Controls are specifically designed for scenarios where you need to secure sensitive data within a specific context or boundary in Google Cloud.

VPC Service Controls enforce a security perimeter around entire projects, ensuring that resources within project A (including the Pub/Sub topic) are inaccessible from any other project, including project B and future projects. This aligns with the requirement to prevent cross-project access.