A healthcare organization stores Protected Health Information (PHI) in Cloud SQL. They have implemented encryption at rest using CMEK and enforce TLS for all connections. To meet HIPAA compliance, they need to ensure that PHI cannot be exfiltrated from the Cloud SQL instance even if an application is compromised. The Cloud SQL instance is accessed by Compute Engine instances in the same VPC using private IPs. The security team wants to add an additional layer of defense against data exfiltration. What should they do?
VPC SC restricts data access to authorized networks and prevents exfiltration via internet.
Why this answer
Option A is correct because using VPC Service Controls with Private Service Connect for Cloud SQL creates a service perimeter that prevents data from being exfiltrated beyond the allowed network. Option B is wrong because Cloud SQL Auth proxy provides authentication but does not prevent exfiltration. Option C is wrong because CMEK protects data at rest, not exfiltration in transit.
Option D is wrong because Cloud Armor is for HTTP(S) load balancers, not Cloud SQL connections.