GCP Professional Cloud Security Engineer Practice Question
ExampleCorp has six product lines that spin up dozens of GCP projects every quarter. Compliance must enforce VM external-IP restrictions only for production workloads. Product-line administrators must self-provision new projects for their line without obtaining organization-level roles. Project names must follow a standard pattern and inherit the required constraints automatically. You want the central security team to stay out of the provisioning path while retaining policy control. Which approach best meets these requirements?
Establish two Google Cloud organizations-one for production and one for non-production-and grant product-line admin groups the Organization Administrator role in each so they can create projects directly.
Have the central security team create every project manually, move it into the right folder, apply the external-IP constraint, and then assign admin roles to the product-line group.
Create separate production and non-production folders, add a sub-folder per product line, grant each product-line admin group roles/resourcemanager.folderAdmin and roles/resourcemanager.projectCreator on its sub-folder, apply the VM external-IP Organization Policy constraint to the production folder, and use an automated pipeline that creates correctly named projects inside the appropriate sub-folder.
Grant each product-line admin group the Project Creator role at the organization level and apply the external-IP constraint to projects after creation by using tag-based policies.
Creating separate production and non-production folders lets you attach Organization Policy constraints-such as disabling external VM IPs-once at the production folder so that every project created beneath it inherits the rule. Granting each product-line admin group the Folder Admin and Project Creator roles on only their own sub-folder lets them create and manage projects without any organization-wide privileges. An automation pipeline that calls the Cloud Resource Manager API or gcloud projects create enforces naming conventions and places the project directly in the correct folder, eliminating manual effort by the central security team. The other approaches either over-privilege administrators, require manual intervention, or fragment the organization into multiple org nodes, all of which increase operational overhead or weaken governance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does Organization Policy inheritance work in GCP?
Open an interactive chat with Bash
What is the purpose of the Folder Admin and Project Creator roles in GCP?
Open an interactive chat with Bash
How can an automated pipeline enforce naming conventions in GCP?
Open an interactive chat with Bash
What is the Organization Policy constraint in GCP?
Open an interactive chat with Bash
What permissions do Folder Admin and Project Creator provide?
Open an interactive chat with Bash
How does the automated pipeline work for project creation in GCP?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .