Google Cloud Professional Cloud Security Engineer Practice Exam

What is the best approach to protect sensitive data in a Cloud Storage bucket that can only be read from another project?

• A. Enable bucket versioning in Cloud Storage
• B. Create a public link for data sharing
• C. Enable VPC Service Controls and create a service perimeter
• D. Use standard IAM roles for access control

The correct answer is: Enable VPC Service Controls and create a service perimeter

The approach of enabling VPC Service Controls and creating a service perimeter is highly effective for protecting sensitive data in a Cloud Storage bucket that is to be accessed from another project. VPC Service Controls allow you to configure security perimeters around your Google Cloud resources, including Cloud Storage. By implementing these controls, you create a boundary that helps mitigate data exfiltration risks and unauthorized access by enforcing strict access policies. When you set up a service perimeter, it restricts access to the sensitive data within the specified projects and resources, ensuring that only authorized entities can reach the data, even when accessed from other projects. This is particularly important for sensitive information, as it provides an additional layer of security beyond standard access controls. In contrast, enabling bucket versioning does not inherently protect the data but rather helps in recovering previous versions in case of accidental deletion or changes. Creating a public link for data sharing poses significant risks as it exposes sensitive data to anyone with the link, which is not suitable for protecting confidentiality. Using standard IAM roles provides a basic level of access control but may not be sufficient to enforce the stricter security requirements needed for sensitive data, especially in cross-project scenarios. Thus, VPC Service Controls represent a more comprehensive and secure solution for the described situation