You are part of a security team that wants to ensure that a Cloud Storage bucket in Project A can only be readable from Project B.
You also want to ensure that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domainsTo ensure that a Cloud Storage bucket in Project A can only be readable from Project B, and that data in the Cloud Storage bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials, you need to consider various security controls.
Option A: Enable VPC Service Controls, create a perimeter with Project A and B, and include Cloud Storage service.
VPC Service Controls provide a security perimeter around the resources within a VPC network. Enabling VPC Service Controls will allow you to create a perimeter with Project A and B and include Cloud Storage service. By doing so, any access attempts to the Cloud Storage bucket from outside of this perimeter will be blocked, even if the user has the correct credentials. This option will help prevent any unauthorized access to the Cloud Storage bucket from external sources.
Option B: Enable Domain Restricted Sharing Organization Policy and Bucket Policy Only on the Cloud Storage bucket.
Domain Restricted Sharing allows you to specify the domains that users are allowed to share resources with. By enabling this policy and implementing a Bucket Policy Only on the Cloud Storage bucket, you can restrict access to the bucket to only the allowed domains. However, this option does not provide any protection against unauthorized access attempts from within the network or outside of the allowed domains.
Option C: Enable Private Access in Project A and B networks with strict firewall rules to allow communication between the networks.
Enabling Private Access in Project A and B networks will create an internal network connection between them, allowing communication between the networks. You can also implement strict firewall rules to allow communication only between the networks and block all other external access. While this option provides protection against external access attempts, it does not prevent unauthorized access within the network.
Option D: Enable VPC Peering between Project A and B networks with strict firewall rules to allow communication between the networks.
VPC Peering creates a direct network connection between two VPC networks, allowing communication between them. By implementing strict firewall rules, you can allow communication only between the VPC networks and block all other external access attempts. This option provides protection against external access attempts and unauthorized access within the network.
In summary, the most suitable option for ensuring that a Cloud Storage bucket in Project A can only be readable from Project B and that data in the bucket cannot be accessed from or copied to Cloud Storage buckets outside the network, even if the user has the correct credentials, is to enable VPC Service Controls and create a perimeter with Project A and B, including the Cloud Storage service.