Google Cloud Professional Cloud Security Engineer — Question 170

You are managing a Google Cloud environment that is organized into folders that represent different teams. These teams need the flexibility to modify organization policies relevant to their work. You want to grant the teams the necessary permissions while upholding Google-recommended security practices and minimizing administrative complexity. What should you do?

Answer options

• A. Create a custom IAM role with the organization policy administrator permission and grant the permission to each team’s folder. Limit policy modifications based on folder names within the custom role’s definition.
• B. Assign the organization policy administrator role to a central service account and provide teams with the credentials to use the service account when needed.
• C. Create an organization-level tag. Attach the tag to relevant folders. Use an IAM condition to restrict the organization policy administrator role to resources with that tag.
• D. Grant each team the organization policy administrator role at the organization level.

Correct answer: C

Explanation

Option C is correct because it allows you to implement fine-grained access control based on tags, which aligns with security best practices. Option A is less effective as it complicates the role management by relying on folder names, while Option B centralizes control in a way that can lead to security risks. Option D grants excessive permissions at the organization level, which can lead to potential misuse.