Professional Cloud Security Engineer Exam QuestionsBrowse all questions from this exam
Go to Exam

Professional Cloud Security Engineer Exam - Question 220

You manage one of your organization's Google Cloud projects (Project A). A VPC Service Control (SC) perimeter is blocking API access requests to this project, including Pub/Sub. A resource running under a service account in another project (Project B) needs to collect messages from a Pub/Sub topic in your project. Project B is not included in a VPC SC perimeter. You need to provide access from Project B to the Pub/Sub topic in Project A using the principle of least privilege.

What should you do?

Show Answer
Correct Answer: A

Configure an ingress policy for the perimeter in Project A, allowing access for the service account in Project B to collect messages. This is the best approach because it ensures minimal access is granted precisely to the necessary service account, aligning with the principle of least privilege. This avoids granting broader permissions that could compromise security.

Discussion

10 comments
Sign in to comment
gcp4testOption: A
Aug 4, 2023

A - is correct Cant be C, bridge is between pramiter, but project B it is not in any pramiter

mjcts
Feb 8, 2024

This is the correct reason why the answer is A

Mithung30Option: C
Aug 4, 2023

Answer is C. https://cloud.google.com/vpc-service-controls/docs/share-across-perimeters

anshad666Option: A
Aug 23, 2023

Ingress: Refers to any access by an API client from outside the service perimeter to resources within a service perimeter. Example: A Cloud Storage client outside a service perimeter calling Cloud Storage read, write, or copy operations on a Cloud Storage resource within the perimeter.

cyberpunk21Option: C
Aug 23, 2023

A. Can be correct but if we configure ingress policy all projects can access or ping this project so too much risk. C. perimeter can be created between two perimeters, but bridge can only be created between two perimeters they haven't mentioned that project b is in perimeter. we have to assume it.

cyberpunk21
Aug 23, 2023

My bad i choose option A, https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#definition-ingress-egress

Andrei_ZOption: B
Sep 5, 2023

By creating an access level, you can specify precisely who in Project B should have access to subscribe to the Pub/Sub topic in Project A, ensuring that access is granted to only the necessary individuals or service accounts. This approach aligns more closely with the principle of least privilege.

desertlotus1211Option: B
Sep 10, 2023

Answer B: https://cloud.google.com/vpc-service-controls/docs/use-access-levels#create_an_access_level To grant controlled access to protected Google Cloud resources in service perimeters from outside a perimeter, use access levels. The following examples explain how to create an access level using different conditions: IP address User and service accounts (principals) Device policy

MisterHairyOption: C
Nov 23, 2023

The correct answer is C. You should create a perimeter bridge between Project A and Project B to allow the required communication between both projects. VPC Service Controls (SC) help to mitigate data exfiltration risks. They provide a security perimeter around Google Cloud resources to constrain data within a VPC and help protect it from being leaked. In this case, a resource in Project B needs to access a Pub/Sub topic in Project A, but Project A is within a VPC SC perimeter that’s blocking API access. A perimeter bridge can be created to allow communication between the two projects. This solution adheres to the principle of least privilege because it only allows the specific communication required, rather than changing the perimeter settings or access levels which could potentially allow more access than necessary. the principle of least privilege is about giving a user or service account only those privileges which are essential to perform its intended function. Options A and B could potentially grant more access than necessary, which is why they are not the best solutions. Option C, creating a perimeter bridge, allows just the specific communication required, adhering to the principle of least privilege.

shmoeee
Mar 24, 2024

The question does not say that Project B is in a perimeter. Ans B can't be correct unless you're assuming

b6f53d8Option: B
Feb 4, 2024

https://cloud.google.com/vpc-service-controls/docs/use-access-levels#create_an_access_level

Nachtwaker
Mar 8, 2024

Can't be B: You can only use public IP address ranges in the access levels for IP-based allowlists. You cannot include an internal IP address in these allowlists. Internal IP addresses are associated with a VPC network, and VPC networks must be referenced by their containing project using an ingress or egress rule, or a service perimeter. https://cloud.google.com/vpc-service-controls/docs/use-access-levels#create_an_access_level:~:text=You%20can%20only,service%20perimeter.

shanwfordOption: A
Apr 25, 2024

Should be (A) according https://cloud.google.com/vpc-service-controls/docs/share-across-perimeters .A perimeter bridge works between projects in different service perimeters. So Project B is not in a perimeter, so bridge wil not work here.

jujanosoOption: A
Jul 10, 2024

Principle of Least Privilege: By configuring an ingress policy, you can precisely define which specific service account from Project B is allowed to access the Pub/Sub topic in Project A. This approach ensures that only the necessary access is granted, aligning with the principle of least privilege.