Your company has a Google Cloud organization with separate "Prod" and "Dev" folders that each contain dozens of projects. Security requires that no Cloud Storage bucket in production can ever be made publicly accessible, while developers may still create public buckets in the Dev folder for testing. As the Associate Cloud Engineer, which approach best meets these requirements with the least operational overhead and without affecting the Dev folder?
Manually enable Uniform bucket-level access and remove public IAM principals on every existing and new bucket in Prod projects.
Create a VPC Service Controls perimeter around all Prod projects to block public access to Cloud Storage.
At the Organization level, add an IAM deny policy that blocks the roles/storage.objectViewer role for the principals allUsers and allAuthenticatedUsers.
Attach the constraints/storage.publicAccessPrevention organization policy to the Prod folder and set it to enforced, leaving the Dev folder without the policy.
The Organization Policy Service lets you set constraints that are inherited by all resources under a resource node (Organization, Folder, or Project). The boolean constraint constraints/storage.publicAccessPrevention prevents any bucket under the targeted node from being made publicly accessible when it is set to enforced: true. By attaching this policy to the Prod folder, every current and future project and bucket inside that folder automatically inherits the restriction, ensuring compliance without per-project configuration. Because the Dev folder is not under this policy, teams there can still create public buckets if needed. Applying the constraint at the Organization level would also block Dev, while configuring IAM or bucket-level settings requires repetitive, error-prone work on every bucket. VPC Service Controls do not address public IAM policies on Cloud Storage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the `constraints/storage.publicAccessPrevention` policy in Google Cloud?
Open an interactive chat with Bash
How does an organization policy inherit constraints within Google Cloud?
Open an interactive chat with Bash
What are VPC Service Controls, and why wouldn't they work in this scenario?
Open an interactive chat with Bash
Why is `constraints/storage.publicAccessPrevention` the best choice for restricting public access to buckets in the Prod folder?
Open an interactive chat with Bash
What happens if the `constraints/storage.publicAccessPrevention` policy is applied at the organization level?
Open an interactive chat with Bash
Why are VPC Service Controls not suitable for addressing public IAM policies on Cloud Storage?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Setting up a cloud solution environment
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .