ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Security Engineer All Questions

View all questions & answers for the Professional Cloud Security Engineer exam
Go to Exam

Exam Professional Cloud Security Engineer topic 1 question 57 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 57
Topic #: 1
[All Professional Cloud Security Engineer Questions]

Your team wants to make sure Compute Engine instances running in your production project do not have public IP addresses. The frontend application Compute
Engine instances will require public IPs. The product engineers have the Editor role to modify resources. Your team wants to enforce this requirement.
How should your team meet these requirements?

  • A. Enable Private Access on the VPC network in the production project.
  • B. Remove the Editor role and grant the Compute Admin IAM role to the engineers.
  • C. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
  • D. Set up a VPC network with two subnets: one with public IPs and one without public IPs.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by HectorLeon2099 at Oct. 11, 2020, 10:01 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
saurabh1805
Highly Voted 3 years, 6 months ago
C is correct option here, Refer below link for more details. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#constraints-for-specific-services
upvoted 12 times
AzureDP900
1 year, 6 months ago
Yes, C is right
upvoted 2 times
...
FatCharlie
3 years, 5 months ago
More specifically, it's the "Restrict VM IP Forwarding" constraint under Compute Engine
upvoted 3 times
FatCharlie
3 years, 5 months ago
Sorry, no. It's the one under that :) "Define allowed external IPs for VM instances"
upvoted 2 times
...
...
...
[Removed]
Most Recent 9 months, 2 weeks ago
Selected Answer: C
"C" Only C addresses both concerns regarding public IP and the Editor role privileges. Applying constraints at the org level mitigates the editor privileges and provides the access restrictions desired. References: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#constraints-for-specific-services
upvoted 2 times
...
passex
1 year, 4 months ago
and how would you want to separate front-end VM's from the other using Org Policy Constraints - IMO option D make more sense
upvoted 4 times
fad3r
1 year, 1 month ago
Intitally I agreed with you but after looking at the link above it does say this. This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses. The allowed/denied list of VM instances must be identified by the VM instance name, in the form: projects/PROJECT_ID/zones/ZONE/instances/INSTANCE constraints/compute.vmExternalIpAccess So you can indeed choose with instances have public ips https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#constraints-for-specific-services Define allowed external IPs for VM instances
upvoted 3 times
...
...
AwesomeGCP
1 year, 6 months ago
Selected Answer: C
C. Set up an organization policy to only permit public IPs for the front-end Compute Engine instances.
upvoted 4 times
fad3r
1 year, 1 month ago
Sorry meant to comment this on the above post
upvoted 1 times
...
fad3r
1 year, 1 month ago
Intitally I agreed with you but after looking at the link above it does say this. This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses. The allowed/denied list of VM instances must be identified by the VM instance name, in the form: projects/PROJECT_ID/zones/ZONE/instances/INSTANCE constraints/compute.vmExternalIpAccess So you can indeed choose with instances have public ips https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#constraints-for-specific-services Define allowed external IPs for VM instances
upvoted 2 times
...
...
bartlomiejwaw
1 year, 11 months ago
Not C - Editor role is not enough for setting up org policies
upvoted 2 times
...
DebasishLowes
3 years, 1 month ago
Ans : C
upvoted 3 times
...
[Removed]
3 years, 6 months ago
Ans - C
upvoted 4 times
...
HectorLeon2099
3 years, 6 months ago
I'll go with A
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago