GCP Professional Cloud Security Engineer Practice Question
Your organization grants the Google Group "[email protected]" the Viewer role (roles/viewer) at the Organization node so that internal audit staff can list and read resources in every project. A new project called "mna-risk-analysis" will contain highly confidential data that auditors must not access. The project must stay within the existing organization hierarchy, and you must follow the principle of least privilege while avoiding disruptive changes to other projects. How should you prevent the auditors from viewing resources in the new project?
Attach an IAM Deny policy to the mna-risk-analysis project that blocks the [email protected] group from the viewer permissions they inherit.
Move the mna-risk-analysis project into a new Google Cloud organization that has no Viewer role for [email protected].
Delete the existing Viewer binding at the Organization level and re-create identical Viewer bindings on every other folder and project except mna-risk-analysis.
Add a conditional role binding at the project level that grants [email protected] the Viewer role only when resource.type != "project".
Because the Viewer role is bound at the Organization level, it is inherited by all descendant folders and projects. IAM does not let you "un-inherit" an allow binding on a lower resource, and re-creating per-project bindings would be error-prone and violate least-privilege. Instead, you can attach an IAM Deny policy to the mna-risk-analysis project that explicitly denies the resourcemanager.projects.get and other viewer permissions to the [email protected] group. An IAM Deny entry always overrides inherited allow bindings, so the auditors keep their organization-wide read access everywhere except this project. Moving the project to another organization or disabling the group's Viewer role at the organization level would remove required access elsewhere, and adding another allow binding with conditions does not negate an inherited allow.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an IAM Deny policy?
Open an interactive chat with Bash
How does resource inheritance work in Google Cloud IAM?
Open an interactive chat with Bash
Why is moving a project to another organization not recommended?
Open an interactive chat with Bash
What is an IAM Deny policy in Google Cloud?
Open an interactive chat with Bash
What is the principle of least privilege in Google Cloud IAM?
Open an interactive chat with Bash
How do IAM roles and policies get inherited in the Google Cloud hierarchy?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .