Learn the steps to configure VPC Service Controls for Google Cloud projects handling Protected Health Information (PHI). Restrict access to US-based personnel and limit API access to BigQuery and Cloud Storage.
Table of Contents
Question
You manage a Google Cloud organization with many projects located in various regions around the world. The projects are protected by the same Access Context Manager access policy. You created a new folder that will host two projects that process protected health information (PHI) for US-based customers. The two projects will be separately managed and require stricter protections. You are setting up the VPC Service Controls configuration for the new folder. You must ensure that only US-based personnel can access these projects and restrict Google Cloud API access to only BigQuery and Cloud Storage within these projects. What should you do?
A. Create a scoped access policy, add the new folder under “Select resources to include in the policy,” and assign an administrator under “Manage principals.”
For the service perimeter, specify the two new projects as “Resources to protect” in the service perimeter configuration.
Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage under “Selected services.”
B. Enable Identity Aware Proxy in the new projects.
Create an Access Context Manager access level with an “IP Subnetworks” attribute condition set to the US-based corporate IP range.
Enable the “Restrict Resource Service Usage” organization policy at the new folder level with an “Allow” policy type and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”
C. Edit the organization-level access policy and add the new folder under “Select resources to include in the policy.”
Specify the two new projects as “Resources to protect” in the service perimeter configuration.
Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage.
Edit the existing access level to add a “Geographic locations” condition set to “US.”
D. Configure a Cloud Interconnect connection or a Virtual Private Network (VPN) between the on-premises environment and the Google Cloud organization.
Configure the VPC firewall policies within the new projects to only allow connections from the on-premises IP address range.
Enable the Restrict Resource Service Usage organization policy on the new folder with an “Allow” policy type, and set both “storage.googleapis.com” and “bigquery.googleapis.com” under “Custom values.”
Answer
A. Create a scoped access policy, add the new folder under “Select resources to include in the policy,” and assign an administrator under “Manage principals.”
For the service perimeter, specify the two new projects as “Resources to protect” in the service perimeter configuration.
Set “Restricted services” to “all services,” set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage under “Selected services.”
Explanation
To set up VPC Service Controls for the new folder hosting two projects that process PHI for US-based customers:
- Create a new, scoped access policy specifically for the PHI projects.
- Add the new folder under “Select resources to include in the policy.” This ensures the policy applies to the PHI projects within the folder.
- Assign an administrator under “Manage principals.” This grants administrative control over the scoped access policy.
- Configure the service perimeter for the PHI projects:
- Specify the two new projects as “Resources to protect” in the service perimeter configuration. This defines the projects to which the service perimeter applies.
- Set “Restricted services” to “all services.” This blocks access to all Google Cloud APIs by default.
- Set “VPC accessible services” to “Selected services,” and specify only BigQuery and Cloud Storage under “Selected services.” This allows access to only these two APIs within the service perimeter.
By creating a separate, scoped access policy and service perimeter for the PHI projects, you can apply stricter protections and access controls without affecting the rest of the organization. The service perimeter configuration restricts access to only US-based personnel (managed through the access policy) and limits API access to BigQuery and Cloud Storage, ensuring compliance with PHI regulations.
Google Professional Cloud Security Engineer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Security Engineer exam and earn Google Professional Cloud Security Engineer certification.