Assigned
Status Update
No update yet.
Comments
sa...@google.com
sa...@google.com
Hello,
Thank you for reaching out to us with your request.
We have duly noted your feedback and will thoroughly validate it. While we cannot provide an estimated time of implementation or guarantee the fulfillment of the issue, please be assured that your input is highly valued. Your feedback enables us to enhance our products and services.
We appreciate your continued trust and support in improving our Google Cloud Platform products. In case you want to report a new issue, Please do not hesitate to create a new issue on the
Once again, we sincerely appreciate your valuable feedback; Thank you for your understanding and collaboration.
Description
The Storage Transfer Service (STS) and BigQuery data transfer service with VPC-SC service perimeters and expected the data transfer to be blocked when pulling data from AWS S3 bucket which is outside the perimeter. There are no egress rules to allow the connectivity and the connectivity worked without any egress or ingress rules. The VPC-SC perimeter has no Access Contact Lists (e.g. no AWS IPs) and no ingress/egress rules at all. The user was still able to pull the data from the S3 bucket without any issue and the expectation is to block the data transfer when the VPC SC perimeter is enforced. Now this is the default behavior as a recent update with VPC SC has allowed this operation without additional rules, from a ease of use perspective.
What you would like to accomplish: This is a huge data infiltration/exfiltration risk. So requesting to add an option to control this at the project level or Organization level based on the user's interest rather than keeping it as allowed by default.
How this might work: If possible this could be done through an Org policy.
If applicable, reasons why alternative solutions are not sufficient: There is no currently known alternative solution.