Learn the best practice for configuring organization policies and log sinks in Google Cloud to comply with department-specific security policies while preventing removal by project users.
Table of Contents
Question
You are a Google Cloud organization administrator. You need to configure organization policies and log sinks on Google Cloud projects that cannot be removed by project users to comply with your company’s security policies. The security policies are different for each company department. Each company department has a user with the Project Owner role assigned to their projects. What should you do?
A. Use a standard naming convention for projects that includes the department name. Configure organization policies on the organization and log sinks on the projects.
B. Use a standard naming convention for projects that includes the department name. Configure both organization policies and log sinks on the projects.
C. Organize projects under folders for each department. Configure both organization policies and log sinks on the folders.
D. Organize projects under folders for each department. Configure organization policies on the organization and log sinks on the folders.
Answer
C. Organize projects under folders for each department. Configure both organization policies and log sinks on the folders.
Explanation
- Organizational structure:
– Organizing projects under folders for each department is the most effective way to manage department-specific policies. This hierarchical structure allows for granular control and easier management of resources. - Organization policies:
– Configuring organization policies at the folder level allows you to set different policies for each department. This is more flexible than setting policies at the organization level, which would apply to all projects.
– Folder-level policies are inherited by all projects within that folder, ensuring consistency across department projects. - Log sinks:
– Configuring log sinks at the folder level ensures that all projects within a department have the same logging rules applied.
– This approach centralizes log management for each department, making it easier to monitor and analyze logs. - Prevention of removal:
– Policies and log sinks configured at the folder level cannot be removed by project users, even if they have the Project Owner role. This meets the requirement of preventing removal by project users. - Flexibility and scalability:
– This approach allows for easy addition of new projects to a department’s folder, automatically inheriting the appropriate policies and log sinks.
– It also facilitates changes to department-wide policies without having to modify each project individually.
Why the other options are incorrect:
A and B: Using a naming convention alone doesn’t provide the necessary control over policies and log sinks. It also doesn’t prevent project owners from modifying or removing these configurations.
D: While this option correctly organizes projects under folders, configuring organization policies at the organization level wouldn’t allow for department-specific policies.
In conclusion, option C provides the most effective and secure way to implement department-specific security policies while ensuring that project users cannot remove these configurations.
Google Associate Cloud Engineer certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Google Associate Cloud Engineer exam and earn Google Associate Cloud Engineer certification.