Your organization is subject to GDPR and must guarantee that any resource storing or processing customer PII is deployed only in EU regions (europe-west* and europe-central2). Multiple engineering teams use automated Terraform pipelines that create new Cloud Storage buckets, BigQuery datasets, and Dataflow jobs in their projects. To enforce the regional restriction on every current and future project that hosts PII workloads, while letting unrelated projects remain unrestricted, what should you do?
Build a custom IAM role that removes permissions to create resources in non-EU regions and assign it to all developers in the affected projects.
Place the PII projects in a VPC Service Controls perimeter that allows access only from EU IP address ranges.
Enable Cloud Asset Inventory feeds on the organization and deploy a Cloud Function that deletes any newly detected resource located outside the EU.
Create a folder for all projects that process customer PII and attach an organization-policy with the gcp.resourceLocations constraint set to allow only EU regions.
The gcp.resourceLocations organization-policy constraint prevents the creation of new Google Cloud resources outside an allowed list of regions or multi-regions. By attaching this constraint to the folder that contains all projects with customer-PII workloads-and setting the policy to allow only europe-west* and europe-central2-the security team establishes a preventative control that applies immediately to existing projects and is automatically inherited by any new projects placed in the folder.
IAM roles cannot filter actions by geography, so a custom role cannot block resource creation in non-EU regions. VPC Service Controls secure data movement but do not stop resources from being provisioned in disallowed regions. A reactive Cloud Function triggered from Cloud Asset Inventory would add operational overhead and does not provide the guaranteed preventive enforcement required by compliance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the gcp.resourceLocations constraint?
Open an interactive chat with Bash
How do organization policies in GCP work?
Open an interactive chat with Bash
Why is VPC Service Controls unsuitable for restricting resource creation in specific regions?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .