Your company has sensitive data in Cloud Storage buckets.
Data analysts have Identity Access Management (IAM) permissions to read the buckets.
You want to prevent data analysts from retrieving the data in the buckets from outside the office network.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The correct answer to this question is A: Create a VPC Service Controls perimeter that includes the projects with the buckets. Create an access level with the CIDR of the office network.
Explanation:
Cloud Storage is a fully-managed, scalable, and durable object storage service provided by Google Cloud Platform. IAM is used to manage access to resources within the Google Cloud Platform. IAM policies grant users permissions to Cloud Storage buckets. The question is asking how to prevent data analysts from retrieving data in the buckets from outside the office network.
Option A suggests creating a VPC Service Controls perimeter that includes the projects with the buckets. VPC Service Controls provide additional security by allowing organizations to configure security perimeters around Google Cloud services. This feature enables organizations to define security policies that govern communication between resources inside and outside the perimeter. By creating a VPC Service Controls perimeter that includes the projects with the buckets, we can restrict access to these resources to only authorized networks.
The second part of option A suggests creating an access level with the CIDR of the office network. An access level is a collection of Google Cloud resources and conditions used to define who can access those resources. By creating an access level with the CIDR of the office network, we can ensure that only users accessing the resources from within the office network are authorized to access the resources.
Option B suggests creating a firewall rule for all instances in the Virtual Private Cloud (VPC) network for source range. The Classless Inter-domain Routing (CIDR) of the office network is used to specify the range of IP addresses from which traffic is allowed. This option may provide some level of protection but is not as secure as using VPC Service Controls.
Option C suggests creating Cloud Functions to remove and add IAM permissions from the buckets and scheduling these functions with Cloud Scheduler. This option may be useful in some situations, but it does not address the problem of preventing access to the resources from outside the office network.
Option D suggests creating a Cloud VPN to the office network and configuring Private Google Access for on-premises hosts. This option provides secure access to resources in the Google Cloud Platform from on-premises hosts. However, it does not address the problem of preventing access to the resources from outside the office network.
In summary, Option A is the best answer as it provides the most secure way to restrict access to resources in the Google Cloud Platform to only authorized networks.