Exam Professional Cloud Security Engineer topic 1 question 171 discussion

BD is the answer. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints - constraints/compute.trustedImageProjects This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. If this constraint is active, only images from trusted projects will be allowed as the source for boot disks for new instances.

BD. To ensure all VMs in your organization use the specific hardened OS image while minimizing operational overhead, you should choose two options that achieve: 1. Centralized Image Management: The image should be stored in a single, secure location. 2. Restricted Image Access: VMs across the organization should only be able to access this specific image.

To make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead, you can take the following steps: 1) Grant users the compute.imageUser role in the OS image project . This allows users to use the OS image in their projects without granting them additional permissions . 2) Set up an image access organization policy constraint, and list the security team managed project in the project’s allow list . This ensures that only authorized users can access the OS image . Therefore, options B and D are the correct answers.

BD are correct

Need to grant permission of project owned the image

Answer should be B and D review the example listed here to grant the IAM policy to a service account https://cloud.google.com/deployment-manager/docs/configuration/using-images-from-other-projects-for-vm-instances#granting_access_to_images

B. Grant users the compute.imageUser role in the OS image project. D. Set up an image access organization policy constraint, and list the security team managed project in the project's allow list.

the compute.imageUser is a Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project. https://cloud.google.com/compute/docs/access/iam#compute.imageUser

I think it should be BD instead of AD. Users should have access to the project where the secured image is stored which is "Security Team's project". Users will obviously need permission to create VM in their own project but to use image from another project, they need "imageUser" permission on that project.