Professional-Cloud-Security-Engineer Exam Dumps | You have the following resource hierarchy. There is an organization policy at each node in the hierarchy

<< Prev Question Next Question >>

Question 20/124

You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPC A?

A. All load balancer types are denied in accordance with the global node's policy.

B. INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's policy.

C. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the project's policy.

D. EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and INTERNAL_HTTP_HTTPS are denied in accordance with the folder and project's policies.

Correct Answer: D

* Understanding Organization Policies:
* Organization policies are rules that can be set at different levels of the resource hierarchy in GCP to enforce governance and compliance.
* These policies can be set at the organization node, folders, and projects, and they are inherited down the hierarchy unless explicitly overridden.
* Hierarchy and Policy Inheritance:
* The provided resource hierarchy has an organization node (Example.com), folders (Folder 1 and Folder 2), and a project (Project 2) under Folder 2 with a specific VPC (VPC A).
* Each node in the hierarchy can have its own policies, and these policies are inherited by child nodes unless overridden.
* Analyzing the Policies in the Hierarchy:
* Organization Node Policy:
json
Copy code
{ "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "allValues":
"DENY" } }
* This policy at the organization node denies all load balancer types.
* Folder 2 Policy:
json
Copy code
{ "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "deniedValues":
["INTERNAL_TCP_UDP", "INTERNAL_HTTP_HTTPS"] } }
* This policy at Folder 2 denies the creation of INTERNAL_TCP_UDP and
INTERNAL_HTTP_HTTPS load balancers.
* Project 2 Policy:
json
Copy code
{ "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "deniedValues":
["EXTERNAL_TCP_PROXY", "EXTERNAL_SSL_PROXY"] } }
* This policy at Project 2 denies the creation of EXTERNAL_TCP_PROXY and EXTERNAL_SSL_PROXY load balancers.
* Policy Application to VPC A:
* Since policies are inherited, VPC A (which is within Project 2 under Folder 2) will be affected by the policies of both Folder 2 and Project 2.
* Combining the denied values from both Folder 2 and Project 2:
* From Folder 2: INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS
* From Project 2: EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY
* Conclusion:
* VPC A will have the following load balancer types denied: INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS, EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY.
References:
* GCP Documentation on Organization Policies
* GCP Documentation on Constraints and List Policies

Question 20/124

LEAVE A REPLY

Download PDF File