VPC Service Controls
VPC Service Controls improves your ability to mitigate the risk of unauthorized copying or transfer of data from your Google-managed services and resources.
With VPC Service Controls, you can configure security perimeters and control the movement of data across the perimeter boundary.
Binary Authorization stores data, including the policy, attestors, and attestations. By adding Binary Authorization to the security perimeter, VPC Service Controls can protect these resources and services.
Additionally, Binary Authorization supports separation of duties by using separate Google Cloud projects for deployments, attestors and attestations. If using Binary Authorization in this way, each such project should be included in your VPC Service Controls perimeter. See Multi-project setup for an end-to-end tutorial that describes how to use multiple projects to establish separation of duties.
With Binary Authorization, you may use Container Analysis to store attestors and attestations as notes and occurrences, respectively. In this case, you must also include Container Analysis in the VPC Service Controls perimeter. See VPC Service Controls guidance for Container Analysis for additional details.
To learn more about VPC Service Controls, see the VPC Service Controls overview.
To learn about the limitations in using Binary Authorization with VPC Service Controls, see Supported products and limitations.