Topic 1 Question 90
You are the security admin of your company. Your development team creates multiple GCP projects under the "implementation" folder for several dev, staging, and production workloads. You want to prevent data exfiltration by malicious insiders or compromised code by setting up a security perimeter. However, you do not want to restrict communication between the projects. What should you do?
Use a Shared VPC to enable communication between all projects, and use firewall rules to prevent data exfiltration.
Create access levels in Access Context Manager to prevent data exfiltration, and use a shared VPC for communication between projects.
Use an infrastructure-as-code software tool to set up a single service perimeter and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the associated perimeter.
Use an infrastructure-as-code software tool to set up three different service perimeters for dev, staging, and prod and to deploy a Cloud Function that monitors the "implementation" folder via Stackdriver and Cloud Pub/Sub. When the function notices that a new project is added to the folder, it executes Terraform to add the new project to the respective perimeter.
ユーザの投票
コメント(17)
I'd also go with option B and here's why: https://cloud.google.com/access-context-manager/docs/overview
Option A was a consideration until I came across this: https://cloud.google.com/security/data-loss-prevention/preventing-data-exfiltration
👍 15jonclem2020/11/16I think this is C. Communication between the project is necessary tied to VPC, but you need to include all projects under implementation folder in a single VPCSC
👍 9dzhu2021/08/19B is correct answer. Firewall can never stop data exfilteration.
👍 4saurabh18052020/10/31
シャッフルモード