Google Cloud Professional Cloud Security Engineer — Question 329

You work for a global company. Due to compliance requirements, certain Compute Engine instances that reside within specific projects must be located exclusively in cloud regions within the European Union (EU). You need to ensure that existing non-compliant workloads are remediated and prevent future Compute Engine instances from being launched in restricted regions. What should you do?

Answer options

• A. Use a third-party configuration management tool to monitor the location of Compute Engine instances. Automatically delete or migrate non-compliant instances, including existing deployments.
• B. Deploy a Security Command Center source to detect Compute Engine instances created outside the EU. Use a custom remediation function to automatically relocate the instances, run the function once a day.
• C. Use organization policy constraints in Resource Manager to enforce allowed regions for Compute Engine instance creation within specific projects.
• D. Set an organization policy that denies the creation of Compute Engine instances outside the EU. Apply the policy to the appropriate projects. Identify existing non-compliant instances and migrate the instances to compliant EU regions.

Correct answer: D

Explanation

The correct answer is D because it directly addresses the need to prevent the creation of non-compliant instances by enforcing a policy that blocks such actions. While A, B, and C suggest monitoring or relocating instances, they do not provide a proactive enforcement mechanism like the organization policy does, nor do they address the migration of existing instances as effectively.