Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Security Engineer All Questions

View all questions & answers for the Professional Cloud Security Engineer exam
Go to Exam

Exam Professional Cloud Security Engineer topic 1 question 302 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 302
Topic #: 1
[All Professional Cloud Security Engineer Questions]

You manage a Google Cloud organization with many projects located in various regions around the world. The projects are protected by the same Access Context Manager access policy. You created a new folder that will host two projects that process protected health information (PHI) for US-based customers. The two projects will be separately managed and require stricter protections. You are setting up the VPC Service Controls configuration for the new folder. You must ensure that only US-based personnel can access these projects and restrict Google Cloud API access to only BigQuery and Cloud Storage within these projects. What should you do?

  • A. • Create a scoped access policy, add the new folder under “Select resources to include in the policy,” and assign an administrator under “Manage principals.”
    • For the service perimeter, specify the two new projects as “Resources to protect” in the service perimeter configuration.
    • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage under “Selected services.”
  • B. • Enable Identity Aware Proxy in the new projects.
    • Create an Access Context Manager access level with an “IP Subnetworks” attribute condition set to the US-based corporate IP range.
    • Enable the “Restrict Resource Service Usage” organization policy at the new folder level with an “Allow” policy type and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”
  • C. • Edit the organization-level access policy and add the new folder under “Select resources to include in the policy.”
    • Specify the two new projects as “Resources to protect” in the service perimeter configuration.
    • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage.
    • Edit the existing access level to add a “Geographic locations” condition set to “US.”
  • D. • Configure a Cloud Interconnect connection or a Virtual Private Network (VPN) between the on-premises environment and the Google Cloud organization.
    • Configure the VPC firewall policies within the new projects to only allow connections from the on-premises IP address range.
    • Enable the Restrict Resource Service Usage organization policy on the new folder with an “Allow” policy type, and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by abdelrahman89 at Oct. 4, 2024, 10:01 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
siheom
1 month, 2 weeks ago
Selected Answer: C
The best solution to meet the requirements of restricting access to US-based personnel and limiting Google Cloud API access to only BigQuery and Cloud Storage for the two new projects processing PHI is C.
upvoted 3 times
...
abdelrahman89
1 month, 3 weeks ago
C - Centralized Access Control: Editing the organization-level access policy ensures consistency and reduces the management overhead compared to creating a separate scoped policy. VPC Service Controls for Isolation: Defining the new projects as "Resources to protect" isolates them within the service perimeter. Restricting services to "all services" and then allowing only BigQuery and Cloud Storage provides granular control over API access. Geographic Location Restriction: Adding a "Geographic locations" condition set to "US" in the existing access level ensures that only users accessing from US locations can utilize the access policy and access these resources.
upvoted 1 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel