PROFESSIONAL-CLOUD-SECURITY-ENGINEER Question #187: Real Exam Question with Answer & Explanation

Question

You have the following resource hierarchy. There is an organization policy at each node in the hierarchy as shown. Which load balancer types are denied in VPCA?

Options

• AAll load balancer types are denied in accordance with the global node's policy.
• BINTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS is denied in accordance with the folder's
• CEXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY are denied in accordance with the
• DEXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, INTERNAL_TCP_UDP, and

Explanation

The correct answer is A: all load balancer types are denied in accordance with the global (organization) node's policy. In Google Cloud's resource hierarchy, organization policies follow an inheritance model. A 'deny' constraint set at the organization (global) node propagates down through all folders and projects unless explicitly overridden with a merge or replace strategy. Since the question states organization policies exist at each node, and the answer references the global node's policy as the controlling one for VPCA, this indicates the organization-level policy denies all load balancer types. Child node policies that are less restrictive do not override a parent's deny unless the constraint's inheritance rules explicitly allow it. Without the image showing specific per-node policies, the governing principle is that the most restrictive inherited constraint from the root applies.

No community discussion yet for this question.