Topic 1 Question 302
You manage a Google Cloud organization with many projects located in various regions around the world. The projects are protected by the same Access Context Manager access policy. You created a new folder that will host two projects that process protected health information (PHI) for US-based customers. The two projects will be separately managed and require stricter protections. You are setting up the VPC Service Controls configuration for the new folder. You must ensure that only US-based personnel can access these projects and restrict Google Cloud API access to only BigQuery and Cloud Storage within these projects. What should you do?
• Create a scoped access policy, add the new folder under “Select resources to include in the policy,” and assign an administrator under “Manage principals.” • For the service perimeter, specify the two new projects as “Resources to protect” in the service perimeter configuration. • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage under “Selected services.”
• Enable Identity Aware Proxy in the new projects. • Create an Access Context Manager access level with an “IP Subnetworks” attribute condition set to the US-based corporate IP range. • Enable the “Restrict Resource Service Usage” organization policy at the new folder level with an “Allow” policy type and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”
• Edit the organization-level access policy and add the new folder under “Select resources to include in the policy.” • Specify the two new projects as “Resources to protect” in the service perimeter configuration. • Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage. • Edit the existing access level to add a “Geographic locations” condition set to “US.”
• Configure a Cloud Interconnect connection or a Virtual Private Network (VPN) between the on-premises environment and the Google Cloud organization. • Configure the VPC firewall policies within the new projects to only allow connections from the on-premises IP address range. • Enable the Restrict Resource Service Usage organization policy on the new folder with an “Allow” policy type, and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”
ユーザの投票
コメント(7)
- 正解だと思う選択肢: C
The best solution to meet the requirements of restricting access to US-based personnel and limiting Google Cloud API access to only BigQuery and Cloud Storage for the two new projects processing PHI is C.
👍 3siheom2024/10/10 i don't C is the right answer "Edit the existing access level to add a “Geographic locations” condition set to “US.”"
editing the exciting access policy will impact the exciting projects using it
👍 2kalbd22122024/11/24C - Centralized Access Control: Editing the organization-level access policy ensures consistency and reduces the management overhead compared to creating a separate scoped policy. VPC Service Controls for Isolation: Defining the new projects as "Resources to protect" isolates them within the service perimeter. Restricting services to "all services" and then allowing only BigQuery and Cloud Storage provides granular control over API access. Geographic Location Restriction: Adding a "Geographic locations" condition set to "US" in the existing access level ensures that only users accessing from US locations can utilize the access policy and access these resources.
👍 1abdelrahman892024/10/04
シャッフルモード