Google Cloud Professional Cloud Security Engineer — Question 142

You define central security controls in your Google Cloud environment. For one of the folders in your organization, you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later, you receive an alert about a new VM with an external IP address under that folder.

What could have caused this alert?

Answer options

• A. The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.
• B. The organizational policy constraint wasn't properly enforced and is running in "dry run" mode.
• C. A project level, the organizational policy control has been overwritten with an "allow" value.
• D. The policy constraint on the folder level does not have any effect because of an "allow" value for that constraint on the organizational level.

Correct answer: C

Explanation

The correct answer is C because if a project-level policy is set to 'allow', it can override the folder-level restriction, permitting the creation of VMs with external IP addresses. Option A is incorrect because the policy would apply to new resources, not previously reserved IPs. Option B is not valid as the policy must be actively enforced, and option D suggests an organizational setting that doesn't apply here since the project level takes precedence.