Google Cloud Professional Cloud Security Engineer — Question 116

Your company must follow industry specific regulations. Therefore, you need to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage resources in the organization called org1.

What command should you execute?

Answer options

• A. • organization poli-cy:constraints/gcp.restrictStorageNonCmekServices • binding at: org1 • policy type: allow • policy value: all supported services
• B. • organization policy: con-straints/gcp.restrictNonCmekServices • binding at: org1 • policy type: deny • policy value: storage.googleapis.com
• C. • organization policy: con-straints/gcp.restrictStorageNonCmekServices • binding at: org1 • policy type: deny • policy value: storage.googleapis.com
• D. • organization policy: con-straints/gcp.restrictNonCmekServices • binding at: org1 • policy type: allow • policy value: storage.googleapis.com

Correct answer: B

Explanation

The correct answer is B because it sets a deny policy for the storage.googleapis.com service, thereby enforcing the use of CMEK. Option A allows all services, which does not enforce CMEK, while options C and D do not correctly restrict the service for CMEK usage in the organization org1.