GCP Professional Cloud Security Engineer Practice Question

As part of an enterprise-wide reorganization, Digiflow Inc. needs to migrate 200 existing Google Cloud projects into an arrangement that will

give every business unit full administrative control over only its own current and future projects,
let the central security team apply mandatory organization policies and IAM guardrails from a single place, and
enable automated creation of additional dev, test, and prod projects for each business unit by Cloud Deployment Manager. Which approach best meets these requirements while aligning with recommended use of the Google Cloud resource hierarchy at scale?

Consolidate all workloads into three shared projects-development, staging, and production-and manage business-unit access through IAM Conditions on individual resources, avoiding the use of folders or additional projects.
Create a dedicated top-level folder for each business unit under the organization, move existing unit projects into that folder, grant unit administrators the Folder Admin role there, and have Deployment Manager create future dev, test, and prod projects inside the same folder while central security applies organization policies at the organization and folder levels.
Tag each project with business-unit and environment labels, keep all projects at the organization root, grant unit administrators Project Owner on the tagged projects, and create future projects at the organization root with the same labels.
Establish a separate Google Cloud organization (with its own Cloud Identity tenant) for every business unit, migrate projects accordingly, and rely on cross-organization Shared VPCs so the central security team can apply common controls.

Report Issue

Answer Description

A separate folder for each business unit under the single organization establishes a clear inheritance boundary in the resource hierarchy. By granting the Folder Admin role (or a constrained custom role) to the business-unit administrators on their folder, you delegate project creation and day-to-day IAM management without exposing other units' resources. Central security can attach organization-wide policies at the organization node and, where needed, apply stricter constraints to specific folders; those policies automatically propagate to all current and future projects that reside in the folder, so Deployment Manager can safely create new dev/test/prod projects there with no extra steps. The other choices violate best practices: merely using labels does not provide delegation or policy inheritance; creating multiple organizations prevents a single point of policy enforcement and complicates identity management; collapsing all workloads into a few shared projects removes isolation and does not scale for 200 projects or future growth.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.