GCP Professional Cloud Security Engineer Practice Question

Your financial-services firm has 100+ Google Cloud projects under a single organization. To meet new PCI DSS rules, security requires that: 1) any new Compute Engine VM must launch without an external (public) IP, and 2) no new service-account keys may be created. Enforcement must be automatic for all current and future projects, yet the central security team must be able to grant a short exception to a specific project when necessary. As the security engineer, which approach best meets these goals while minimizing effort?

Move every project into a Shared VPC where internet egress is disabled and strip the serviceAccount.keys.create permission from all IAM roles at the organization level; re-grant the permission in projects that need an exception.
Define organization policies at the organization root that enforce the constraints "compute.vmExternalIpAccess" (deny all) and "iam.disableServiceAccountKeyCreation". Use policy inheritance so the security team can override either constraint at a specific project or folder when an approved exception is needed.
Deploy a centralized Cloud Function triggered by Cloud Audit Logs that deletes any VM with an external IP or any newly created service account key; modify the function's allowlist in Firestore whenever an exception is required.
Create a VPC Service Controls perimeter that blocks egress to 0.0.0.0/0 for every project and add a custom constraint that prevents assigning the iam.serviceAccountKeyAdmin role; temporarily remove the project from the perimeter and role restriction to grant an exception.

Report Issue

Answer Description

Organization Policy constraints are preventive controls that apply automatically to every project created under the part of the resource hierarchy where they are set. By setting the constraint "compute.vmExternalIpAccess" to deny all external IP creation and enabling the boolean constraint "iam.disableServiceAccountKeyCreation" at the organization root, the company prevents both public IP assignment to new VMs and creation of new service-account keys across every current and future project. Because Organization Policies are inheritable but can be overridden lower in the hierarchy, the security team can create a less-restrictive policy on a specific folder or project (for example, by clearing the deny list or turning off enforcement) to grant a temporary, auditable exception and then re-enable the stricter policy when no longer needed. The other approaches rely on reactive remediation, fail to block external IPs, or cannot comprehensively prevent key creation, so they do not meet the preventive and low-overhead requirements.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.