Google Cloud Professional Cloud Security Engineer — Question 208

You are responsible for configuring Identity and Access Management in your organization's Google Cloud environment. You need to restrict your organization's users from accessing Cloud Storage buckets in other Google Cloud organizations. What should you do?

Answer options

• A. Set a principal access boundary policy with the appropriate enforcement version. Bind the policy to the principals of your organization.
• B. Configure organization restriction headers for your environment. Only include the organization ID of your organization in the list of allowed resources.
• C. Create an IAM deny policy on the organization level that prevents access to Cloud Storage buckets outside the organization.
• D. Enforce domain restricted sharing in your organization. Configure a managed constraint, and only include the principals in your organization.

Correct answer: A

Explanation

The correct answer is A because establishing a principal access boundary policy ensures that access is specifically managed for your organization's users while binding it to the relevant principals. Option B is incorrect as organization restriction headers do not provide the necessary IAM configuration for access management. Option C is not suitable because IAM deny policies are not the preferred method for configuring access restrictions. Option D, while useful for domain sharing, does not directly address access to Cloud Storage buckets across organizations.