Google Cloud Professional Cloud Security Engineer — Question 146

You are a Cloud Identity administrator for your organization. In your Google Cloud environment, groups are used to manage user permissions. Each application team has a dedicated group. Your team is responsible for creating these groups and the application teams can manage the team members on their own through the Google Cloud console. You must ensure that the application teams can only add users from within your organization to their groups.

What should you do?

Answer options

• A. Change the configuration of the relevant groups in the Google Workspace Admin console to prevent external users from being added to the group.
• B. Set an Identity and Access Management (IAM) policy that includes a condition that restricts group membership to user principals that belong to your organization.
• C. Define an Identity and Access Management (IAM) deny policy that denies the assignment of principals that are outside your organization to the groups in scope.
• D. Export the Cloud Identity logs to BigQuery. Configure an alert for external members added to groups. Have the alert trigger a Cloud Function instance that removes the external members from the group.

Correct answer: A

Explanation

The correct answer is A because changing the configuration in the Google Workspace Admin console directly prevents any external users from being added to the group, effectively enforcing the restriction. Option B suggests using IAM policy conditions, which may not be as straightforward for managing group membership. Option C involves denying assignments but may not stop the addition of external users altogether. Option D focuses on monitoring and reactive measures rather than preventing the issue at the outset.