Google Cloud Professional Cloud Security Engineer — Question 303

You are creating a new infrastructure CI/CD pipeline to deploy hundreds of ephemeral projects in your Google Cloud organization to enable your users to interact with Google Cloud. You want to restrict the use of the default networks in your organization while following Google-recommended best practices. What should you do?

Answer options

• A. Enable the constraints/compute.skipDefaultNetworkCreation organization policy constraint at the organization level.
• B. Create a cron job to trigger a daily Cloud Function to automatically delete all default networks for each project.
• C. Grant your users the IAM Owner role at the organization level. Create a VPC Service Controls perimeter around the project that restricts the compute.googleapis.com API.
• D. Only allow your users to use your CI/CD pipeline with a predefined set of infrastructure templates they can deploy to skip the creation of the default networks.

Correct answer: A

Explanation

The correct answer is A because enabling the constraints/compute.skipDefaultNetworkCreation organization policy constraint effectively prevents the automatic creation of default networks, which aligns with Google’s best practices. Option B is not suitable as it relies on a manual process to delete networks after creation, while C offers excessive permissions that could lead to security risks. Option D restricts usage but does not address the underlying issue of default network creation.