GCP Professional Cloud Security Engineer Practice Question
A global retailer runs more than 100 Google Cloud projects in a single organization. Only a subset of workloads store or process cardholder data and therefore fall under PCI DSS scope. The security team must 1) isolate these in-scope resources from all other workloads, 2) attach stricter Organization Policy constraints and IAM limits only to the in-scope environment, and 3) keep the solution simple to administer over time. Which design best meets these objectives?
Create a dedicated "pci" folder beneath the organization root, move or create all PCI-related projects inside it, and apply the required Organization Policy constraints and IAM restrictions at that folder level.
Keep all projects as they are but create a separate "pci-vpc" network in each one, protect it with hierarchical firewall rules, and track scoped resources in a spreadsheet.
Add a "pci=true" label to every resource that handles cardholder data and rely on Cloud Asset Inventory queries and label-based VPC Service Controls to enforce PCI controls.
Apply the stricter Organization Policy constraints at the organization node and override them in non-PCI projects that should remain out of scope.
Using a dedicated folder for all PCI workloads cleanly separates the cardholder data environment from the rest of the organization. By moving (or creating) every PCI-related project inside that folder, administrators can apply Organization Policy constraints-such as restricted resource locations, denial of external IPs, and limited IAM domains-at a single point in the hierarchy. The policies automatically inherit to every project in the folder, while other folders and projects remain unaffected, minimizing operational overhead. Applying the same controls at the organization node would over-constrain non-PCI workloads, and relying on labels, spreadsheets, or per-project VPC segmentation cannot enforce Organization Policies or IAM restrictions consistently across the in-scope environment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of Organization Policy constraints in Google Cloud?
Open an interactive chat with Bash
How does hierarchical policy inheritance work in Google Cloud?
Open an interactive chat with Bash
What is PCI DSS, and why is it important for cloud workloads?
Open an interactive chat with Bash
What is PCI DSS and why is it important?
Open an interactive chat with Bash
How do Organization Policies work in Google Cloud?
Open an interactive chat with Bash
What are hierarchical firewall rules in Google Cloud?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .