Selected Professional-Cloud-Security-Engineer Google Cloud Certified Questions Answers

The Google Cloud Resource Hierarchy is designed to allow inheritance with the ability to override policies at lower levels (Folders or Projects).2 This is the standard way to handle exceptions for specific business units without weakening the security posture of the entire organization.

According to Google Cloud Documentation (Understanding Hierarchy Evaluation):

"By default, organization policies are inherited by the descendants of the resource on which the policy is enforced. However, you can explicitly override a policy on a child resource (Folder or Project) by setting a new policy that either adds to or replaces the inherited values.3 This allows for granular control and exception handling."

Why this is the correct approach:

Isolation: By moving the workload to a specific folder, you isolate the exception.

Least Privilege: Only the resources within that folder gain the exception; the rest of the organization remains protected by the constraints/compute.vmExternalIpAccess constraint.

No "Bypass" Role: There is no standard IAM role that allows a user to "bypass" an Org Policy (Option A). Policies are enforced at the API level regardless of user roles.

Auditability: Having a specific folder with an override makes it easy for auditors to see exactly where and why an exception exists.

Cloud NAT Service: Use Cloud NAT (Network Address Translation) to allow VM instances without external IP addresses to access the internet securely.

Configuration: Configure Cloud NAT for the subnets containing your VM instances. This setup allows the VMs to initiate outbound connections to the internet for updates and other necessary communications.

Security Compliance: By using Cloud NAT, you adhere to the security policy of not assigning external IP addresses to VMs while still enabling necessary internet connectivity. Cloud NAT provides a secure method for outbound internet traffic without exposing VMs directly to the public internet. References:

Google Cloud - Cloud NAT Overview

Google Cloud - Configuring Cloud NAT

Cloud Identity-Aware Proxy (IAP) allows you to control access to your web applications running on Google Cloud. It ensures that only authenticated users who are part of a specified Google Group can access the application. Here’s how you can restrict access to in-progress sites using IAP:

Enable IAP: First, you need to enable Cloud IAP for your App Engine application. This will require configuring OAuth consent and setting up necessary permissions.

Create a Google Group: Create a Google Group that includes all the customers and company employees who should have access to the in-progress sites.

Configure Access: Configure IAP to allow access only to members of the created Google Group. This involves setting up the necessary IAP policies and ensuring that only authenticated users in the group can access the application.

By using IAP, you ensure that the access control is centrally managed and only authorized users can view the in-progress sites from any location.

References

Cloud Identity-Aware Proxy Documentation

Setting up IAP