Exam Professional Cloud Security Engineer topic 1 question 167 discussion

the good answer is A as indicated here : https://cloud.google.com/load-balancing/docs/org-policy-constraints#gcloud

Outcome: Both the folder-level and project-level denials will be enforced. This is because they apply to different types of traffic and don't conflict with each other. Essentially, the restrictions are combined. Key Concepts Inheritance: Policies are inherited down the hierarchy. A project inherits policies from its parent folder, and the folder inherits from the organization.   Overriding: A lower level policy can override a higher-level policy only if it is more restrictive. Constraints: Organization Policies use "constraints" to define restrictions. 1 In your case, the constraints are likely related to VPC firewall rules.

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints the org constrain is nor a valid value

i asked Gemini here is the answer: In the scenario you described, the following load balancer types would be denied in a VPC defined within the project in the subfolder: external_tcp_proxy external_ssl_proxy Here's the breakdown of how Org policy constraints are enforced with inheritance: Organization Level Constraint: This denies all load balancers. Subfolder Constraint: This overrides the organization-level constraint and only denies internal_tcp_udp and internal_http_https load balancers. Project Level Constraint: This further refines the allowed types within the subfolder by denying external_tcp_proxy and external_ssl_proxy load balancers.

Policies are inherited, so folder and project must be merged. Keep in mind, deny policies are always applied, and when conflicting with an allow policy the deny has higher prio and will overule the allow. So, merge all the deny policies and the result is D.

"inheritFromParent" param is by default set to "true" if not explicitly set

My option is A. If "inheritFromParent" is not explicitly set, the default behavior in GCP if for inheritance to prevail. Based on this assumption, the project inherits from the folder and the organization above, all constraints are merged at the project level.

Answer is C.. If the policy is set to merge with parent, the json output will show: "inheritFromParent": true If the policy is set to replace the parent policy, that line is missing, which is the same as the output in the diagram. Therefore, the parent policy is replaced with the child policies and only the project level conditions are in effect.

The issue we don't know what the value is of 'inheritFromParent'. Is it false of true? If true then A is correct.... if false then C is correct

The answer should be C Link: https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy Inheritance A resource node that has an organization policy set by default supersedes any policy set by its parent nodes in the hierarchy. However, if a resource node has set inheritFromParent = true, then the effective Policy of the parent resource is inherited, merged, and reconciled to evaluate the resulting effective policy. Project 2 has an organisation policy set and there's no mention of any inheritance.

Project is not inheriting from parent policy, but customize its own

There are restrictions at folder level too.

NVM - the answer actually is A. The Org has it's own restrictions too!

The answer is D. We also need to consider the Load Balancer types that are restricted at the Folder level as well as the Project level.

It's A.