Google Cloud Associate Cloud Engineer — Question 216

During a recent audit of your existing Google Cloud resources, you discovered several users with email addresses outside of your Google Workspace domain. You want to ensure that your resources are only shared with users whose email addresses match your domain. You need to remove any mismatched users, and you want to avoid having to audit your resources to identify mismatched users. What should you do?

Answer options

• A. Create a Cloud Scheduler task to regularly scan your projects and delete mismatched users.
• B. Create a Cloud Scheduler task to regularly scan your resources and delete mismatched users.
• C. Set an organizational policy constraint to limit identities by domain to automatically remove mismatched users.
• D. Set an organizational policy constraint to limit identities by domain, and then retroactively remove the existing mismatched users

Correct answer: D

Explanation

The correct answer is D because setting an organizational policy constraint will prevent any future mismatched users from accessing resources, and retroactively removing existing mismatched users ensures compliance immediately. Options A and B suggest using a Cloud Scheduler task, which does not address the proactive enforcement of policy, while option C does not mention the necessary action of removing existing users, leaving potential vulnerabilities.