Google Cloud Professional Cloud Security Engineer Practice Exam

What is the main method to limit the images used as sources for boot disks in a dedicated project?

• A. Use firewall rules to block image access
• B. Create a compute.trustedimageProjects constraint with deny operation
• C. Apply IAM roles to restrict image usage
• D. Establish a budget for image usage

The correct answer is: Create a compute.trustedimageProjects constraint with deny operation

The correct approach to limit the images used as sources for boot disks in a dedicated project is to create a compute.trustedimageProjects constraint with deny operation. This method specifically targets the permissions related to the images that can be accessed and used within the project. By implementing a compute.trustedimageProjects constraint, organizations can specify which images are considered trusted and can control access to images based on project policies. The deny operation is particularly effective, as it prevents any images not explicitly listed from being used for boot disks in the project. This aligns with best practices in cloud security, allowing for tighter governance and compliance by ensuring only approved images are utilized, thus minimizing risks associated with untrusted or potentially vulnerable images. Other approaches, while they may offer some level of control, do not specifically address the core requirement of restricting images. For instance, applying IAM roles might help manage access at a broader level but does not directly enforce image usage restrictions. Firewall rules are mainly concerned with network security and would not effectively limit which images can be used. Establishing a budget is more of a financial management strategy and does not provide any operational control over the specific images that can be utilized for boot disks.