Security And Governance Boundary — GCP Professional Cloud Architect (PCA)
Four Tools, Four Distinct Threat Surfaces
IAM controls who can call an API. VPC Service Controls controls which network context that call can come from. Org Policy restricts what can be configured at all. Cloud KMS controls which keys encrypt which data and who can revoke them. A persistent exam mistake is treating these as overlapping alternatives — adding a KMS key where an org policy would prevent the misconfiguration entirely, or applying IAM where VPC Service Controls is the required boundary. Each tool addresses a different attack surface; read the scenario to identify which surface is exposed.
What This Pattern Tests
The exam describes a security requirement and tests which control layer applies. Identity controls manage who can act. Resource controls manage what configurations are allowed. Network controls manage traffic flow. Organization controls set account-wide guardrails. Applying the wrong layer is as incorrect as applying no control at all.
Decision Axis
Control scope (principal vs. resource vs. network vs. organization) determines the mechanism.
Associated Traps
More Top Traps on This Exam
Decision Rules
When the security requirement is preventing authenticated data exfiltration across project boundaries rather than controlling who can access a resource, VPC Service Controls — not Cloud IAM — is the correct enforcement mechanism because it creates a context-based API perimeter that blocks calls regardless of the caller's IAM identity.
Whether Google-managed default encryption combined with Admin Activity audit logging satisfies HIPAA key-revocation and tamper-evident retention requirements, or whether CMEK via Cloud KMS plus Data Access audit logs exported to a locked Cloud Storage bucket is the required combination.
Whether Cloud IAM bindings in the source project or VPC Service Controls perimeter enforcement is the correct mechanism to prevent authenticated principals from exfiltrating data to Cloud Storage buckets in external projects via Google API calls.
Whether Google-managed default encryption plus enabling Cloud Audit Logs satisfies HIPAA ePHI data-control and audit-retention obligations, or whether CMEK via Cloud KMS (for customer-controlled key revocation) combined with VPC Service Controls (for perimeter-based exfiltration prevention) and Cloud Audit Logs exported to a locked Cloud Storage bucket (for WORM-compliant retention) is the required combination.
Whether to enforce the data-boundary requirement with VPC Service Controls (API-level perimeter blocking cross-project API traffic even from authenticated principals) or with Cloud IAM policies and conditions (identity-based access control that governs call authorization but cannot constrain where an authorized principal directs API output).
Whether CMEK-encrypted BigQuery tables backed by a customer-managed Cloud KMS key ring plus Data Access audit log export to a WORM-locked Cloud Storage bucket in a separate project constitutes the compliant posture — versus relying on Google-managed encryption at rest and in-project Cloud IAM activity logs alone.
Domain Coverage
Difficulty Breakdown