GCP Professional Cloud Security Engineer Practice Question

Your organization operates more than 200 Google Cloud projects beneath a single organization node. A new compliance rule states that no one may create new user-managed service account keys, except in one legacy project called "payments-bridge," which must continue to generate key files for an on-premises HSM. The security team wants a solution that (1) blocks key creation everywhere else, (2) supports automatic enforcement for any future projects, and (3) does not rely on ongoing manual administration. What should you do?

Create a top-level folder (for example, "restricted-keys"), move all projects except payments-bridge into it, and set constraints/iam.disableServiceAccountKeyCreation to enforced: true on that folder.
Enable Access Approval organization-wide and deny any approval requests to create new service account keys, allowing approvals only in payments-bridge.
Set the constraints/iam.disableServiceAccountKeyCreation policy to enforced: true at the organization level, then override it with enforced: false in the payments-bridge project.
Remove the Service Account Key Admin role from every project except payments-bridge and ensure future projects do not grant the role.

Report Issue

Answer Description

The constraints/iam.disableServiceAccountKeyCreation organization policy is a Boolean constraint: when a policy sets enforced: true at any node in the resource hierarchy, all descendant resources inherit that prohibition and cannot override it at a lower level. Therefore, enabling the constraint at the organization level and then trying to disable it in one project will not work.

The scalable approach is to leave the organization node without this constraint, create (or use) a top-level folder that will contain every project that must be restricted, and set the policy with enforced: true on that folder. By placing all existing and future projects-except the single exempt payments-bridge project-inside that folder, key creation is blocked everywhere it is required while the legacy project remains unaffected.

Granting or revoking roles such as Service Account Key Admin on individual projects (or relying on Access Approval) does not technically prevent key creation via other privileged roles and does not scale to new projects. Only the Organization Policy constraint definitively blocks the API methods that create new user-managed keys.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.