PROFESSIONAL-CLOUD-SECURITY-ENGINEER Question #222: Real Exam Question with Answer & Explanation

Question

Your Google Cloud organization allows for administrative capabilities to be distributed to each team through provision of a Google Cloud project with Owner role (roles/owner). The organization contains thousands of Google Cloud projects. Security Command Center Premium has surfaced multiple OPEN_MYSQL_PORT findings. You are enforcing the guardrails and need to prevent these types of common misconfigurations. What should you do?

Options

• ACreate a hierarchical firewall policy configured at the organization to deny all connections from
• BCreate a hierarchical firewall policy configured at the organization to allow connections only from
• CCreate a Google Cloud Armor security policy to deny traffic from 0.0.0.0/0.
• DCreate a firewall rule for each virtual private cloud (VPC) to deny traffic from 0.0.0.0/0 with priority

Explanation

Hierarchical firewall policies are configured at the organization or folder level and take precedence over project-level VPC firewall rules - even project Owners cannot override them. Option B creates a hierarchical policy that allows MySQL connections only from authorized sources (e.g., internal IP ranges), effectively blocking public exposure of port 3306 across all thousands of projects without requiring per-project action. Option A (deny all MySQL connections) would block legitimate internal database access. Option C (Cloud Armor) only protects HTTP/HTTPS load balancer backends - it cannot block VPC-level MySQL port exposure. Option D (per-VPC firewall rules) is ineffective because project Owners with roles/owner can override project-level firewall rules.

No community discussion yet for this question.