An international bank has a Google Cloud organization with two top-level folders: Payments (EU production workloads) and Sandbox (experimentation). Project owners in both folders can create Cloud Storage buckets and BigQuery datasets. All new resources under the Payments folder must reside only in regions europe-west1 or europe-west4, while Sandbox projects should remain unrestricted. You must enforce this rule even for users who hold the Owner role and want to minimize ongoing operational effort. What should you do?
Create a deny policy on "constraints/gcp.resourceLocations" at the organization root that blocks every region except europe-west1 and europe-west4, relying on inheritance for enforcement.
Configure an Audit Log sink that triggers a Cloud Function to delete any bucket or dataset under Payments that is created outside europe-west1 or europe-west4.
Attach an Organization Policy for the constraint "constraints/gcp.resourceLocations" to the Payments folder, specifying only ["europe-west1", "europe-west4"] as allowed values and leaving the Sandbox folder without this policy.
Define a VPC Service Controls perimeter around the Payments folder that permits only europe-west1 and europe-west4 egress endpoints.
Create an Organization Policy for the constraint "constraints/gcp.resourceLocations" on the Payments folder and configure a list policy that sets allowedValues to ["europe-west1", "europe-west4"] with inherit_from_parent: false. Every project beneath the folder automatically inherits the restriction, and IAM privileges-including Owner-cannot bypass it. Because no policy is applied to the Sandbox folder, its projects remain free to create resources in any region. VPC Service Controls only restrict access paths, not resource creation locations. Setting a deny policy at the organization root would also block other folders and cannot be relaxed below that level. Reactive cleanup with Cloud Functions introduces unnecessary operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Organization Policy in GCP?
Open an interactive chat with Bash
What is the role of the `constraints/gcp.resourceLocations` constraint?
Open an interactive chat with Bash
Why is VPC Service Controls not suitable in this scenario?
Open an interactive chat with Bash
What is an Organization Policy in Google Cloud?
Open an interactive chat with Bash
What does the `constraints/gcp.resourceLocations` constraint do in Google Cloud?
Open an interactive chat with Bash
How does inheritance work with Organization Policies in Google Cloud?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .