Your company has a Google Cloud organization with a folder per business unit. Each of those folders contains a child folder named "prod" that holds all production projects. Policy requires that only the central InfoSec group ([email protected]) may create or manage service accounts in production projects, while business-unit admins may keep Owner rights in non-production projects. You must enforce this with minimal ongoing effort and ensure production project owners cannot re-grant themselves the removed permission. What should you do?
Enable the "Disable Service Account Creation" organization policy constraint and add project-level exceptions for [email protected].
Grant roles/iam.serviceAccountAdmin to [email protected] at the organization level and rely on project owners to refrain from assigning it in production.
Replace the Owner role in every production project with a custom role that omits iam.serviceAccount.* permissions and assign it to business-unit administrators.
Attach an IAM deny policy to each business-unit "prod" folder that blocks iam.serviceAccounts.* permissions for all principals except the [email protected] group.
Because IAM allow bindings are inherited down the resource hierarchy, owners of production projects could always add roles that restore their own service-account permissions. An IAM deny policy, however, overrides any existing or future allow bindings. By attaching a single deny policy to each business-unit "prod" folder that blocks iam.serviceAccounts.* for every principal except [email protected], you prevent project owners from creating or managing service accounts, while letting the security group retain that capability. Applying the deny at the organization level would also block development environments, and replacing Owner with per-project custom roles would require high maintenance and still leave room for privilege escalation. The Disable Service Account Creation organization policy cannot include group-level exceptions, so it would over-restrict access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an IAM deny policy in Google Cloud?
Open an interactive chat with Bash
How does resource hierarchy affect IAM policies in Google Cloud?
Open an interactive chat with Bash
Why is replacing the Owner role with a custom role not ideal in this scenario?
Open an interactive chat with Bash
What is an IAM deny policy in Google Cloud?
Open an interactive chat with Bash
What happens if IAM deny policies are applied at the organization level?
Open an interactive chat with Bash
How does the IAM resource hierarchy ensure permissions inheritance?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .