Your company has sensitive data in Cloud Storage buckets. Data analysts have Identity Access Management (IAM) permissions to read the buckets. You want to prevent data analysts from retrieving the data in the buckets from outside the office network. What should you do?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a VPC Service Controls perimeter that includes the projects with the buckets. 2. Create an access level with the CIDR of the office network..
Why this is the answer
VPC Service Controls creates a security perimeter around your sensitive data, preventing unauthorized access from outside the perimeter. By including the projects with the Cloud Storage buckets in a service perimeter and defining an access level based on the office network's CIDR, you ensure that only requests originating from within that specific network range can access the protected resources. Creating a firewall rule for VPC instances is ineffective because Cloud Storage is a global service, not accessed directly through VPC instances. Using Cloud Functions to modify IAM permissions daily is overly complex, prone to errors, and doesn't prevent access during business hours from outside the office network. Cloud VPN and Private Google Access are for connecting on-premises networks to Google Cloud securely, but they don't restrict access to Cloud Storage based on the source IP address in the way VPC Service Controls does.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed