GCP Professional Cloud Security Engineer Practice Question

A multinational financial-services firm runs hundreds of Google Cloud projects under one organization. All production workloads that handle customer PII must comply with EU data-residency rules, so new resources may be created only in the EU multi-region or europe-west* zones. A separate Research folder occasionally needs to deploy ad-hoc test workloads in additional global regions. You must implement an organization-wide control that enforces the EU residency requirement everywhere except inside the Research folder, while keeping administration effort low. Which solution will meet these goals?

Create a VPC Service Controls perimeter around all production projects that blocks egress to non-EU Google Cloud regions, leaving the Research folder outside the perimeter.
Apply constraints/gcp.resourceLocations with an ALLOW list of EU and europe-west* at the organization level, then attach another policy to the Research folder that sets inherit_from_parent to false and specifies an ALLOW list containing the extra regions needed for research projects.
Enable the Assured Workloads EU sovereignty regime for every production project and omit the Research folder from the Assured Workloads environment.
Define a denylist policy on constraints/gcp.resourceLocations at the organization level that blocks all non-EU regions, and grant researchers the roles/compute.orgPolicyAdmin role on their projects so they can bypass the policy when needed.

Report Issue

Answer Description

The organization policy constraint constraints/gcp.resourceLocations lets administrators define which regions or multi-regions are permitted for new resource creation. Setting an ALLOW list at the organization root restricts every descendant resource unless a lower-level resource sets its own policy and disables inheritance. By defining the policy at the organization to permit only EU and europe-west*, all projects automatically comply with the residency mandate. In the Research folder, attaching another policy for the same constraint with inherit_from_parent set to false and a broader ALLOW list replaces the inherited restriction, permitting additional regions only for that folder and its projects. VPC Service Controls and Assured Workloads focus on data exfiltration boundaries or prescriptive compliance regimes but do not stop resource creation in disallowed regions. Granting IAM roles cannot override an Organization Policy that denies or restricts locations; only another policy on a lower resource node can do so. Therefore, configuring a hierarchical Organization Policy with an override in the Research folder is the correct and least-effort approach.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.