Google Cloud Professional Cloud Security Engineer Practice Exam

Disable ads (and more) with a membership for a one time $4.99 payment

Prepare for the Google Cloud Professional Cloud Security Engineer Exam with our interactive quiz. Study with flashcards and multiple-choice questions, complete with hints and explanations. Ace your exam with confidence!

Practice this question and more.

What method should be used to enforce that Compute Engine instances in production do not have public IPs?

Set instance-level firewall rules
Apply a project-level IAM role
Establish organization policy restricting instances
Configure network routing settings

The correct answer is: Establish organization policy restricting instances

Enforcing that Compute Engine instances in production do not have public IPs can be most effectively achieved by establishing an organization policy that restricts instances within the Google Cloud environment. Organization policies allow administrators to define and enforce constraints across projects within an organization. By creating a policy that disables the assignment of public IPs to instances, you ensure a consistent security posture across all production resources. This method not only centralizes policy management but also provides a clear and robust way to prevent any accidental exposure of instances to the public internet, thereby enhancing the security of the overall cloud infrastructure. While instance-level firewall rules may control inbound and outbound traffic, they do not prevent the assignment of public IPs to instances. On the other hand, applying a project-level IAM role focuses on user permissions rather than resource configurations, and configuring network routing settings pertains to how traffic is routed rather than prohibiting public IPs. Hence, organization policies are the most suitable method for enforcing such security requirements across multiple instances in production environments.