PROFESSIONAL-CLOUD-SECURITY-ENGINEER Question #278: Real Exam Question with Answer & Explanation

Question

Your organization is adopting Google Cloud and wants to ensure sensitive resources are only accessible from devices within the internal on-premises corporate network. You must configure Access Context Manager to enforce this requirement. These considerations apply: - The internal network uses IP ranges 10.100.0.0/16 and 192.168.0.0/16. - Some employees work remotely but connect securely through a company- managed virtual private network (VPN). The VPN dynamically allocates IP addresses from the pool 172.16.0.0/20. - Access should be restricted to a specific Google Cloud project that is contained within an existing service perimeter. What should you do?

Options

• ACreate an access level named "Authorized Devices." Utilize the Device Policy attribute to require
• BCreate an access level titled "Internal Network Only." Add a condition with these attributes:
• CCreate an access level titled "Corporate Access." Add a condition with the IP Subnetworks
• DCreate a new IAM role called "InternalAccess. Add the IP ranges 10.100.0.0/16, 192.16.0.0/16,

Explanation

Access Context Manager uses access levels with conditions to enforce network-based restrictions. The IP Subnetworks attribute in an access level condition allows you to specify trusted CIDR ranges. Option C correctly creates a 'Corporate Access' access level including all three IP ranges - the two on-premises ranges (10.100.0.0/16, 192.168.0.0/16) and the VPN pool (172.16.0.0/20) - and applies it to the existing service perimeter. Option A uses Device Policy, which enforces device posture (OS, screen lock, etc.), not network location. Option B omits the VPN IP range. Option D incorrectly attempts to use an IAM role for IP-based access control; IAM roles grant permissions but cannot enforce network location restrictions the way Access Context Manager does.

No community discussion yet for this question.