GCP Professional Cloud Security Engineer Practice Question

Your company manages more than 60 projects inside a single Google Cloud organization. A new security mandate states that any egress packet destined for an IP address that appears in Google Cloud Threat Intelligence feeds must be blocked across every VPC network. Project administrators must not be able to alter or remove this control, but the central security team needs a simple way to grant one-off exceptions for individual projects that legitimately require access to a specific blocked IP address. Using Cloud Next Generation Firewall, what is the most scalable way to meet these requirements?

Deploy Secure Web Proxy in each VPC, block outbound access to the malicious IP list, and allow project owners to disable the proxy on subnets that require exceptions.
Configure identical egress deny rules that reference Threat Intelligence lists in every project's VPC firewall and ask project owners to request changes when they need exceptions.
Create a hierarchical firewall policy at the organization level managed by the security team. Add a deny-egress rule that uses Threat Intelligence IP lists with a lower priority number, and insert higher-priority allow rules scoped to specific project service accounts whenever an exception is approved.
Attach a Cloud Armor security policy with Threat Intelligence rules to each project's external HTTP(S) load balancer and let teams override the policy locally when necessary.

Report Issue

Answer Description

Cloud NGFW supports organization-wide hierarchical firewall policies that are evaluated before any project-level VPC firewall rules. By attaching a hierarchical firewall policy at the organization node, the security team can enforce a default egress deny rule that references the built-in Threat Intelligence lists; project owners cannot modify or remove this policy because only principals with the Firewall Policy Admin role at the organization level can change it. When an approved business case requires access to a specific IP that appears on the list, the security team can add a higher-priority (numerically lower) allow rule to the same policy and scope it to the service accounts or network tags used by that project, creating an exception without changing project-level rules. Solutions that rely on per-project VPC firewall rules, Cloud Armor, or Secure Web Proxy either allow project owners to bypass the control or do not cover all outbound traffic, so they do not satisfy both the enforcement and scalability requirements.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.