GCP Professional Cloud Security Engineer Practice Question

Your organization manages dozens of Google Cloud projects under a single organization node. Security has issued these directives:

No VM in any project may have an external IPv4 address, except the project called "legacy-project", which still requires one during migration.
IAM policies anywhere in the hierarchy must reference only principals from the company domain (corp.example) or the partner domain (partner.example). Which configuration best satisfies both requirements while minimizing ongoing administrative overhead?

Enable VPC Service Controls around all projects to block external IP usage and configure Domain Restricted Sharing individually on every project.
Set the compute.vmExternalIpAccess constraint to deny all external IPs at the organization level and override it in legacy-project to allow external IPs; set the iam.allowedPolicyMemberDomains constraint at the organization level to allow only corp.example and partner.example.
Create an organization-wide egress firewall rule blocking 0.0.0.0/0 and use Access Context Manager service perimeters to limit IAM principals to corp.example and partner.example.
Apply compute.vmExternalIpAccess to allow external IPs only on legacy-project and set Domain Restricted Sharing on the finance folder; leave other projects with default settings.

Report Issue

Answer Description

Organization Policies let you define constraints that are inherited by all descendant folders, projects, and resources unless an explicit override is set lower in the hierarchy.

compute.vmExternalIpAccess can be set to deny all at the organization level so that, by default, no project may assign external IPs to its VMs. At the legacy-project level you add a less-restrictive constraint (or clear the inherited policy) to permit external IPs only there.
iam.allowedPolicyMemberDomains is the constraint that enforces Domain Restricted Sharing for IAM. Setting it at the organization level with an allow-list of corp.example and partner.example ensures every folder and project can grant roles only to principals from those two domains, satisfying the second requirement without per-project configuration.

Firewall rules or VPC Service Controls do not prevent the attachment of external IPs, and configuring constraints only at individual projects or folders would increase administrative effort and risk omissions. Therefore, the combination of an organization-wide deny policy for compute.vmExternalIpAccess with a project-level exception, plus an organization-wide iam.allowedPolicyMemberDomains constraint, is the correct and most efficient solution.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.