Google Cloud Professional Cloud Architect — Question 172

Your company has just recently activated Cloud Identity to manage users. The Google Cloud Organization has been configured as well. The security team needs to secure projects that will be part of the Organization. They want to prohibit IAM users outside the domain from gaining permissions from now on. What should they do?

Answer options

• A. Configure an organization policy to restrict identities by domain.
• B. Configure an organization policy to block creation of service accounts.
• C. Configure Cloud Scheduler to trigger a Cloud Function every hour that removes all users that don't belong to the Cloud Identity domain from all projects.
• D. Create a technical user (e.g.,[email protected]), and give it the project owner role at root organization level. Write a bash script that: ג€¢ Lists all the IAM rules of all projects within the organization. ג€¢ Deletes all users that do not belong to the company domain. Create a Compute Engine instance in a project within the Organization and configure gcloud to be executed with technical user credentials. Configure a cron job that executes the bash script every hour.

Correct answer: A

Explanation

The correct answer is A because configuring an organization policy to restrict identities by domain directly addresses the requirement to prevent external IAM users from accessing permissions. Option B is incorrect as blocking service account creation does not address the issue of user permissions. Option C is overly complicated and does not provide a proactive solution, while option D involves complex scripting and maintenance without directly enforcing domain restrictions.