Practice Test 1 | Google Cloud Certified Professional Cloud Architect | Dumps | Mock Test

Answer: C

•  Option C is  CORRECT  because,  VPC Service Controls create a security perimeter around data stored in API-based GCP services such as Google Cloud Storage, BigQuery, and Bigtable. This helps mitigate data exfiltration risks stemming from stolen identities, IAM policy misconfigurations, malicious insiders, and compromised virtual machines.
• Option A is INCORRECT because, Shared VPC allows an organization to connect resources from multiple projects to a common VPC network so that they can communicate with each other securely and efficiently using internal IPs from that network. When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it. The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network. Here the challenge is to mitigate Data exfiltration and VPC Service Controls are the right choice.
• Option B is INCORRECT because Cloud Armor is used for delivering defense at scale against infrastructure and application Distributed Denial of Service (DDoS) attacks using Google’s global infrastructure and security systems.
• Option D is INCORRECT because Resource Manager enables you to programmatically manage these resource containers. Google Cloud Platform provides Resource containers such as Organizations, Folders, and Projects, that allow you to hierarchically organize other Cloud Platform resources. This hierarchical organization lets you easily manage common aspects of your resources such as access control and configuration settings.

VPC Service Controls also prevent reading data from or copying data to a resource outside the perimeter using service operations such as copying to a public Cloud Storage bucket using the gsutil cp command or to a permanent external BigQuery table using the bq mk command.

The restricted VIPs feature can be used to prevent access from a trusted network to storage services that are not integrated with VPC Service Controls.

1. Public exposure of private data caused by misconfigured Cloud IAM policies: VPC Service Controls provides an additional layer of security by denying access from unauthorized networks, even if the data is exposed by misconfigured Cloud IAM policies.

By assigning the Access Context Manager Policy Admin role for Cloud IAM, VPC Service Controls can be configured by a user who is not the Cloud IAM policy administrator.

Read more about VPC Service Control here:

• https://cloud.google.com/vpc-service-controls/docs/overview

A service perimeter creates a security boundary around GCP resources. You can configure a service perimeter to control communications from virtual machines (VMs) to a GCP service (API), and between GCP services. A service perimeter allows free communication within the perimeter but, by default, blocks all communication across the perimeter.

For example:

A VM within a Virtual Private Cloud (VPC) network that is part of a service perimeter can read from or write to a Cloud Storage bucket in the same perimeter. However, any attempt to access the bucket from VPC networks that are not inside the perimeter is denied.

A copy operation between two Cloud Storage buckets will succeed if both buckets are in the same service perimeter, but will fail if one of the buckets is outside the perimeter.

A VM within a VPC network that is part of a service perimeter can privately access any Cloud Storage buckets in the same perimeter. However, the VM will be denied access to Cloud Storage buckets that are outside the perimeter.