GCP Professional Cloud Security Engineer Practice Question
Your company, which uses the Cloud Identity domain corp.example, runs dozens of projects under one Google Cloud organization. A new Payment-Processing folder must meet PCI-DSS requirements that mandate every IAM principal in that folder belong only to corp.example. Other folders may continue granting roles to partner.com users. Which action will enforce this requirement on the Payment-Processing folder without impacting the rest of the organization?
Add IAM deny policies to each project in the Payment-Processing folder that exclude any principal whose email does not end with @corp.example.
Enable Access Approval on the Payment-Processing folder and reject any approval requests that originate from partner.com accounts.
Create a VPC Service Controls perimeter for the Payment-Processing folder and configure an access level that admits only corp.example identities.
Apply the Organization Policy constraint "constraints/iam.allowedPolicyMemberDomains" to the Payment-Processing folder, allowing only the corp.example domain and leaving the constraint unset at higher levels.
The iam.allowedPolicyMemberDomains organization policy lets you define an allowlist of Google Workspace or Cloud Identity domains whose members can appear in IAM policy bindings. By attaching this constraint to the Payment-Processing folder and specifying only corp.example in the allowed_values list, any attempt-now or in the future-to add principals from partner.com (or any other domain) to IAM roles on resources in that folder will be denied. Leaving the constraint unset at higher levels means other folders keep their current flexibility.
VPC Service Controls secure data movement, not IAM membership, so they cannot block adding principals. IAM Deny Policies cannot express a condition like "email domain not equals partner.com" and would require continual manual updates. Access Approval governs Google employee access to customer content and has no effect on who customers add to IAM policies. Hence, using the iam.allowedPolicyMemberDomains constraint at the folder level is the only solution that meets the requirement and preserves existing access elsewhere.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the 'iam.allowedPolicyMemberDomains' constraint in Google Cloud?
Open an interactive chat with Bash
How does the 'iam.allowedPolicyMemberDomains' constraint differ from IAM deny policies?
Open an interactive chat with Bash
Why can't VPC Service Controls or Access Approval meet IAM domain compliance requirements?
Open an interactive chat with Bash
What is the purpose of the 'constraints/iam.allowedPolicyMemberDomains' organization policy?
Open an interactive chat with Bash
How does VPC Service Controls differ from IAM constraints in enforcing security measures?
Open an interactive chat with Bash
Why are IAM Deny Policies ineffective for this specific PCI-DSS requirement?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .