Exam Professional Cloud Security Engineer topic 1 question 144 discussion

D. https://cloud.google.com/resource-manager/docs/project-migration#import_export_folders E. https://cloud.google.com/resource-manager/docs/project-migration#vpcsc_security_perimeters

https://cloud.google.com/resource-manager/docs/project-migration#plan_policy When you migrate your project, it will no longer inherit the policies from its current place in the resource hierarchy, and will be subject to the effective policy evaluation at its destination. We recommend making sure that the effective policies at the project's destination match as much as possible the policies that the project had in its source location. https://cloud.google.com/resource-manager/docs/project-migration#import_export_folders Policy inheritance can cause unintended effects when you are migrating a project, both in the source and destination organization resources. You can mitigate this risk by creating specific folders to hold only projects for export and import, and ensuring that the same policies are inherited by the folders in both organization resources. You can also set permissions on these folders that will be inherited to the projects moved within them, helping to accelerate the project migration process.

C: Identity and Access Management policies and organization policies are inherited through the resource hierarchy, and can block a service from functioning if not set properly. Determine the effective policy at the project's destination in your resource hierarchy to ensure the policy aligns with your governance objectives. [https://cloud.google.com/resource-manager/docs/create-migration-plan#plan_policy] E: You cannot migrate a project that is protected by a VPC Service Controls security perimeter. [https://cloud.google.com/resource-manager/docs/handle-special-cases#vpcsc_security_perimeters] D is recommended but not mandatort [https://cloud.google.com/resource-manager/docs/create-migration-plan#import_export_folders]

To prepare for migrating Google Cloud projects to a new organization node, you should identify inherited IAM roles on the projects to understand permission implications and remove the projects from any VPC Service Controls perimeters to avoid access issues during migration. These steps help ensure a smooth transition and maintain access control and security throughout the process.

C&E in my opinion

All the steps are relevant in some scenarios, but the most important 2 are C and E

A. Removing all the project-level IAM will make you not know what permissions were there to be able to migrate them. B. Disallowing inheritance of organization policies will affect other projects. C. Identify inherited Identity and Access Management (IAM) roles on projects to be migrated. Correct, this will help you to migrate the IAM D. You don't need a new folder to migrate the projects E. Remove the specific migration projects from any VPC Service Controls perimeters and bridges. Correct, this is necessary because the project is no longer part of the organization.

A, C https://cloud.google.com/resource-manager/docs/handle-special-cases

Before migrating Google Cloud projects associated with sold divisions to a new organization node, the following preparation steps are necessary: C. Identify inherited Identity and Access Management (IAM) roles on projects to be migrated: You should identify any IAM roles that are inherited by the projects you plan to migrate. This is important because you want to ensure that you understand the existing access controls and permissions associated with these projects. Identifying inherited IAM roles allows you to plan how to manage permissions during and after the migration. E. Remove the specific migration projects from any VPC Service Controls perimeters and bridges: If the projects you are migrating are currently part of any VPC Service Controls perimeters or bridges, you should remove them from these configurations. This ensures that the projects can be migrated without being restricted by VPC Service Controls, and it allows you to manage their access controls separately in the new organization node.

The Answer is CE

https://cloud.google.com/resource-manager/docs/create-migration-plan I think the answer can be BCD... E is incorrect

Because... A) Custom project roles can be re-granted after migration. B) Policy inheritance does not change after migration. D) A new folder is not required before migration.

CD is the ans

D, E D- Using import/export folders is recommended for mitigating policy risk. E- You cannot migrate a project that's in a VPC Service Controls perimeter References: https://cloud.google.com/resource-manager/docs/create-migration-plan#import_export_folders https://cloud.google.com/resource-manager/docs/handle-special-cases#vpcsc_security_perimeters

CE is the ans

A E https://cloud.google.com/resource-manager/docs/handle-special-cases

Answer C Answer E