Google Cloud Professional Cloud Security Engineer — Question 121

Your Google Cloud organization allows for administrative capabilities to be distributed to each team through provision of a Google Cloud project with Owner role (roles/owner). The organization contains thousands of Google Cloud projects. Security Command Center Premium has surfaced multiple OPEN_MYSQL_PORT findings. You are enforcing the guardrails and need to prevent these types of common misconfigurations.

What should you do?

Answer options

• A. Create a hierarchical firewall policy configured at the organization to deny all connections from 0.0.0.0/0.
• B. Create a hierarchical firewall policy configured at the organization to allow connections only from internal IP ranges.
• C. Create a Google Cloud Armor security policy to deny traffic from 0.0.0.0/0.
• D. Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0.0.0.0/0 with priority 0.

Correct answer: B

Explanation

The correct answer is B because creating a hierarchical firewall policy allowing connections only from internal IP ranges effectively secures the environment by restricting access to trusted sources. Option A blocks all connections, which could disrupt necessary communications. Option C focuses on Google Cloud Armor, which is less suitable for managing VPC-level traffic. Option D would require extensive management of individual rules, making it less efficient than a hierarchical policy.