Security
VPC Service Controls
Security perimeter around GCP APIs — prevent data exfiltration
AWS equivalent
⚠️ No direct equivalent
AWS → GCP: Key Differences
- ▸
No real AWS equivalent. AWS SCPs restrict what APIs can be called but don't create a data perimeter.
- ▸
VPC Service Controls creates a boundary: even if credentials are stolen, data cannot leave the perimeter.
Key Concepts to Know
- 1
Access policies define perimeters wrapping GCP services (BigQuery, GCS) in specified projects.
- 2
Inside the perimeter: API calls to protected services are allowed.
- 3
Outside the perimeter: API calls are blocked — even with valid credentials.
- 4
Access levels: define conditions under which outside access is permitted.
- 5
Use for: regulated data, preventing insider threats, compliance requirements.
DCE Interview Tips
- ★
Best answer to: 'How do you prevent data exfiltration from GCP?'
- ★
'Even if an attacker steals a service account key, VPC Service Controls means they cannot exfiltrate data from BigQuery or GCS outside our defined perimeter.'
Common Gotchas
- !
VPC Service Controls can break services if misconfigured — a perimeter that's too strict will deny legitimate API calls.
- !
Dry run mode: test your perimeter in audit mode before enforcing.
- !
Requires Organization-level resource hierarchy.