Exam Associate Cloud Engineer topic 1 question 204 discussion

Answer A An organization policy configures a single constraint that restricts one or more Google Cloud services. The organization policy is set on an organization, folder, or project resource to enforce the constraint on that resource and any child resources. https://cloud.google.com/resource-manager/docs/organization-policy/overview

it's A : IAM is about WHO does WHAT Organization policy is only about WHAT

You can limit the physical location of a new resource with the Organization Policy Service resource locations constraint. https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations

Its A. "Organization Policy" does not indicate that it will be ONLY applied to a organization, it can be applied to any resource within a organization to restrict and add conditions. This policy focus on WHAT and not WHO (IAM). So, since in this case we want to restrict to VMs in US, its clearly the option A. Link: https://cloud.google.com/resource-manager/docs/organization-policy/overview "Identity and Access Management focuses on who, and lets the administrator authorize who can take action on specific resources based on permissions." "Organization Policy focuses on what, and lets the administrator set restrictions on specific resources to determine how they can be configured."

https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations?hl=fr#gcloud

A is the correct answer as you can just add the projects to the same folder and just apply the Organization policy

The organization policy is set on an organization, folder, or project resource to enforce the constraint on that resource and any child resources. An organization policy contains one or more rules that specify how, and whether, to enforce the constraint. A

Restricting resources creation in specific locations can be achieved by Organization policy. The Organization Policy Service gives you centralized and programmatic control over your organization's cloud resources. You can use "Google Cloud Platform - Resource Location Restriction" Organization policy constraint for the solution asked in the question. https://cloud.google.com/resource-manager/docs/organization-policy/overview https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints

https://cloud.google.com/resource-manager/docs/access-control-folders A is wrong, The documentation says it needs a folder admin role to apply folder's IAM policy to limit resources access. A said organization level policies.

c as it cannot be A as it will apply to all folders

Organization policies are made up of constraints that allow you to: Limit resource sharing based on domain. Limit the usage of Identity and Access Management service accounts. Restrict the physical location of newly created resources!!!!!!!!! https://cloud.google.com/resource-manager/docs/organization-policy/overview

C is the correct Answer, It CANNOT be A as setting an organization policy will restrict every single project in the organization and not only the dev projects in the folder. It CANNOT be B either, because projects can only even be created if an organization already exists.

Option A

Option A is the most suitable answer among the provided choices. By creating a folder to contain all the dev projects, you can organize them in a logical structure within your organization. Then, you can apply an organization policy to limit the resources in US locations. This policy can be configured to restrict the creation of cloud resources outside the United States. It provides a centralized approach to enforce the restriction across all the dev projects within the folder.

You need to use "Google Cloud Platform - Resource Location Restriction" organization policy. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints