Google Cloud Professional Cloud Security Engineer Practice Exam

What is the best approach to give Project B access to a Pub/Sub topic in Project A while adhering to least privilege?

• A. Provide full access to Project B
• B. Configure an ingress policy for Project A's perimeter
• C. Enable public access for the Pub/Sub topic
• D. Use Google Cloud IAM to assign custom roles

The correct answer is: Configure an ingress policy for Project A's perimeter

The best approach to give Project B access to a Pub/Sub topic in Project A while adhering to the principle of least privilege is to configure an ingress policy for Project A's perimeter. This method allows you to control which external projects can access resources within your project while enforcing fine-grained access controls. Ingress policies are part of Google's BeyondCorp Enterprise security model, focusing on authenticated access based on user identity rather than relying solely on network security measures. By configuring an ingress policy, you can specify which projects or identities are allowed to access the resources in Project A, such as the Pub/Sub topic, without granting unnecessary permissions that may lead to potential security risks. This approach aligns well with the least privilege principle because instead of providing full access or enabling public access, which could lead to excessive permissions, it allows for a targeted and controlled granting of access specifically tailored to the needs of Project B. It ensures that only the necessary permissions are granted for the required operations, thus minimizing security exposure. Using Google Cloud IAM to assign custom roles could be a valid approach as well, but configuring the ingress policy directly relates to controlling access at the project perimeter, making it the most straightforward and secure method in this scenario.