GCP Professional Cloud Security Engineer Practice Question

Your security team must guarantee that, across the entire organization, newly created Compute Engine VMs never receive a public IPv4 or IPv6 address, to satisfy a regulatory mandate that all workloads remain unreachable from the public Internet. A small bastion project operated by the networking team is the only exception: VMs whose service account email starts with bastion- must still be able to obtain an external IP so that administrators can SSH in. You manage the Google Cloud resource hierarchy shown below:

Organization node
- Folder prod
  - Project prod-app-1, prod-app-2
- Folder shared-infra
  - Project bastion-east, bastion-west

Which single action will enforce the requirement with the least operational overhead while allowing the required exception?

Remove the compute.instances.setMetadata permission from all IAM roles at the prod folder; grant it back only in bastion projects to stop other projects from adding external IPs.
Create an organization-wide compute.vmExternalIpAccess Organization Policy, set denyAll to true, and add allowedServiceAccounts: bastion-* so only service accounts whose name begins with bastion- can receive external IPs.
Deploy a Cloud Function triggered by Cloud Audit Logs for compute.instances.insert that automatically strips any external IP from instances unless their project ID starts with bastion-.
At the shared-infra folder level, create a VPC firewall rule that denies egress to 0.0.0.0/0 except from instances with the bastion-* network tag; inherit this rule down to all projects.

Report Issue

Answer Description

The compute.vmExternalIpAccess Organization Policy is specifically designed to control which VMs may have external (public) IP addresses. Configured as a list constraint, it blocks the assignment of external IPs to all VMs in the hierarchy level where it is set, unless the VM's service account (or network tag) is explicitly listed as an exception.

By setting this constraint once at the organization level with the policy value denyAll:true and adding the pattern bastion-* to the list of allowedServiceAccounts, every descendant project automatically inherits the block, eliminating the need to manage separate IAM roles, firewall rules, or per-project settings. Because the bastion VMs run under service accounts whose emails start with bastion-, they match the allow-list entry and can still acquire external IPs. Any VM in prod-app-1 or prod-app-2 that does not use a service account matching the pattern is denied an external IP, satisfying the compliance control.

Other options fail because:

Using VPC firewall rules or Hierarchical Firewall Policies cannot stop Google Cloud from assigning an external address; they can only filter traffic after assignment.
Removing the compute.instances.setMetadata permission or disabling default Internet gateways does not prevent IP allocation and would disrupt required internal metadata access.
A custom Cloud Function that revokes public IPs adds unnecessary complexity, may lag behind VM creation, and requires ongoing maintenance, violating the 'least operational overhead' criterion.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.