Google Cloud Professional Cloud DevOps Engineer — Question 172

Your company allows teams to self-manage Google Cloud projects, including project-level Identity and Access Management (IAM). You are concerned that the team responsible for the Shared VPC project might accidentally delete the project, so a lien has been placed on the project. You need to design a solution to restrict Shared VPC project deletion to those with the resourcemanager.projects.updateLiens permission at the organization level. What should you do?

Answer options

• A. Instruct teams to only perform IAM permission management as code with Terraform.
• B. Enable VPC Service Controls for the container.googleapis.com API service.
• C. Revoke the resourcemanager.projects.updateLiens permission from all users associated with the project.
• D. Enable the compute.restrictXpnProjectLienRemoval organization policy constraint.

Correct answer: D

Explanation

The correct answer is D because enabling the compute.restrictXpnProjectLienRemoval organization policy constraint specifically restricts the removal of liens on Shared VPC projects, ensuring that only users with the appropriate permissions can delete the project. Option A does not address the deletion concern, option B is unrelated to lien management, and option C would remove necessary permissions from all users, potentially leading to further issues.