GCP Professional Cloud Security Engineer Practice Question
Your company operates a single Google Cloud organization with hundreds of projects. A new EU subsidiary must ensure all new and existing resources in its prod-eu folder stay within EU regions, while all other folders remain unrestricted. As the security engineer, which action best enforces this data-residency requirement with minimal administrative overhead?
Define the constraints/gcp.resourceLocations policy at the organization root to allow only EU regions and the eu multi-region so that all descendants inherit the restriction.
Create a VPC Service Controls perimeter for the prod-eu folder that lists EU regions; this will automatically prevent creation of resources outside the EU, eliminating the need for an Organization Policy.
Do not configure a location policy at the organization level. Instead, attach the predefined constraints/gcp.resourceLocations policy to the prod-eu folder with inherit_from_parent set to false and specify only EU regions or the eu multi-region as allowed values.
Keep the organization-level policy unset, create a custom location constraint, attach it to the prod-eu folder, and allow only EU regions.
The constraints/gcp.resourceLocations Organization Policy lets you specify an allowlist of regions and multi-regions where resources may be created. If the policy is unset at the organization root, no location restriction applies by default. You can then attach the policy to the prod-eu folder, listing only EU regions (or the eu multi-region) and disabling inheritance from the parent. All projects in that folder automatically inherit the restriction, while projects in other folders remain unaffected. Setting the policy at the organization root would over-restrict every environment, and creating a custom constraint is unnecessary because Google already supplies the gcp.resourceLocations constraint. VPC Service Controls protect against data exfiltration but do not stop resources from being provisioned outside the EU, so they cannot satisfy a pure data-residency mandate on their own.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the `constraints/gcp.resourceLocations` policy?
Open an interactive chat with Bash
How does disabling inheritance impact policy enforcement?
Open an interactive chat with Bash
Why doesn’t VPC Service Controls satisfy the data-residency requirement?
Open an interactive chat with Bash
What is the `constraints/gcp.resourceLocations` policy?
Open an interactive chat with Bash
What does the `inherit_from_parent` setting do in Organization Policies?
Open an interactive chat with Bash
How do VPC Service Controls differ from Organization Policies in enforcing data residency?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .