GCP Professional Cloud Security Engineer Practice Question

Your organization is migrating its card-holder data environment to Google Cloud. Security and compliance teams have issued the following mandatory controls for every project that will reside in the existing "prod" folder:

No new Compute Engine VMs may be created with an external (ephemeral or static) IPv4 address.
All Cloud SQL instances must be created without a public IP address.
Any new regional or multiregional resource must be located only in europe-west2, europe-west3, or europe-north1. You need to implement these controls so they apply immediately to the current projects in the prod folder and automatically to any projects that will be created under that folder in the future. Other folders must remain unaffected. Which combination of Organization Policy constraints and settings meets all of the stated requirements?

Apply compute.vmExternalIpAccess with enforce: true, use the sql.disablePublicIp constraint, and allow only the EU multi-region in gcp.resourceLocations at the organization root.
Set compute.vmExternalIpAccess to allow all values, leave sql.restrictPublicIp disabled, and configure gcp.resourceLocations with a deny list that excludes us-* and asia-* regions on each individual project.
Enable the compute.requireOsLogin constraint, create an Assured Workloads EU environment for the prod folder, and apply the restrictXpnProjectLien constraint to all child projects.
On the prod folder, deny all values for the compute.vmExternalIpAccess list constraint, enforce the sql.restrictPublicIp boolean constraint, and configure gcp.resourceLocations with an allowed list limited to europe-west2, europe-west3, and europe-north1.

Report Issue

Answer Description

Attach three Organization Policy constraints to the prod folder:

For Compute Engine, apply the list constraint "constraints/compute.vmExternalIpAccess" with a policy rule that sets allValues: DENY (or a single deny value of "*") so that no VM can obtain an external IPv4 address, satisfying requirement 1.
Enable the boolean constraint "constraints/sql.restrictPublicIp" (set enforced: true) to block the creation of Cloud SQL instances with public IP addresses, meeting requirement 2.
Apply the list constraint "constraints/gcp.resourceLocations" with an allowed list that contains only europe-west2, europe-west3, and europe-north1, ensuring that new regional or multiregional resources are restricted to those three regions, meeting requirement 3. Because the policies are set on the prod folder, they are inherited by all existing and future projects within that folder while leaving resources in other folders unaffected.

The other options fail because they either allow external or public IPs, use incorrect or non-existent constraints, or apply the policies at the organization root, which would impact unrelated environments.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.