GCP Professional Cloud Security Engineer Practice Question

Your security team must ensure that no Google Cloud project in the organization can attach an external IPv4 address to a new or existing Compute Engine VM instance, except for a designated "edge-dmz" project used by the networking team. Project owners must not be able to override this control, but the networking team must retain the ability to create VMs with external IPs inside the edge-dmz project. Which approach best meets these requirements while following the principle of least privilege and minimizing ongoing administration effort?

Place all projects except edge-dmz inside a VPC Service Controls perimeter to block any use of external IP addresses.
Set the Organization-level Organization Policy constraint "constraints/compute.vmExternalIpAccess" to DENY all projects except the edge-dmz project by listing it in the allowed values.
Create an IAM Deny policy at the Organization level that blocks the permissions compute.instances.setMetadata and compute.instances.update for all principals except those in the edge-dmz project.
Remove the Compute Engine Admin role from all projects except edge-dmz and rely on standard IAM inheritance to prevent external IP creation elsewhere.

Report Issue

Answer Description

The organization policy constraint "constraints/compute.vmExternalIpAccess" lets administrators explicitly define the set of projects or service accounts that are allowed to attach external IPv4 addresses to Compute Engine VM instances. By enforcing a deny policy for all projects at the Organization level and supplying an allowed list that includes only the edge-dmz project, every descendant project is prevented from creating external IPs unless it is named in that list. Because Organization Policy is inherited and cannot be overridden by lower-level administrators, project owners in other projects cannot bypass the rule. IAM roles alone cannot stop attachment of external IPs-they only govern who can attempt the operation, not whether it is permitted. An IAM Deny policy could block the required API calls, but it would have to be maintained in parallel with exceptions and does not provide the same built-in awareness of future APIs as the purpose-built compute.vmExternalIpAccess constraint. VPC Service Controls address data exfiltration risk, not IP assignment. Therefore, configuring the compute.vmExternalIpAccess Organization Policy with a project-level allow list is the most effective and least-maintenance solution.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.