GCP Professional Cloud Security Engineer Practice Question
The Corp folder contains all production projects, including analytics-prod. You set the organization-policy constraint constraints/storage.uniformBucketLevelAccess on Corp with enforced: true, making Uniform Bucket-Level Access mandatory for every Cloud Storage bucket below that folder. The analytics team needs a two-week exception to disable UBLA in the analytics-prod project for a migration. Which approach allows the exception without weakening the requirement for all other projects?
Move the analytics-prod project to a temporary sibling folder that has no UBLA policy, perform the migration there, then move the project back after two weeks while leaving the Corp policy unchanged.
Create a project-level policy on analytics-prod that sets enforced: false for constraints/storage.uniformBucketLevelAccess during the migration and delete the policy afterward.
Add the analytics-prod project's default service account to the allowedValues list of the UBLA constraint at the Corp folder and remove it after the migration.
Grant analytics-prod project owners the roles/orgpolicy.policyAdmin role on the Corp folder so they can temporarily disable the UBLA constraint and re-enable it after the migration.
When a boolean organization-policy constraint is set with enforced: true, the restriction is absolute for that resource and all of its descendants; lower-level resources cannot override it. The only practical way to provide an exception is to move the affected project (analytics-prod) to a location in the resource hierarchy where the policy is not enforced, perform the required work, and then move it back. Creating a project-level policy that sets enforced: false will be ignored because the ancestor's enforced policy has higher precedence. Granting the project owners Organization Policy Admin at the Corp folder would let them change the policy for every project, which violates least privilege and jeopardizes compliance. Adding service accounts to an allowlist is impossible here because constraints/storage.uniformBucketLevelAccess is a boolean constraint and has no allowedValues list. Therefore, moving the project to a temporary folder without the constraint is the most secure and compliant solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Uniform Bucket-Level Access (UBLA)?
Open an interactive chat with Bash
What does `constraints/storage.uniformBucketLevelAccess` enforce in GCP?
Open an interactive chat with Bash
Why can't a lower-level project override policies enforced by a parent folder or organization in GCP?
Open an interactive chat with Bash
What is Uniform Bucket-Level Access (UBLA) in Google Cloud Storage?
Open an interactive chat with Bash
How do organization policies work in Google Cloud Platform (GCP)?
Open an interactive chat with Bash
Why is moving the project to a temporary folder a secure option?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .