Exam Professional Cloud Security Engineer topic 1 question 200 discussion

Require CMEK protection To require CMEK protection for your organization, configure the constraints/gcp.restrictNonCmekServices organization policy. As a list constraint, the accepted values for this constraint are Google Cloud service names (for example, bigquery.googleapis.com). Use this constraint by providing a list of Google Cloud service names and setting the constraint to Deny. This configuration blocks the creation of resources in these services if the resource is not protected by CMEK. In other words, requests to create a resource in the service don't succeed without specifying a Cloud KMS key. https://cloud.google.com/kms/docs/cmek-org-policy#require-cmek I cannot found the so called "restrictStorageNonCmekServices" in Google document

Policy Name: constraints/gcp.restrictNonCmekServices: This policy ensures that resources in specified Google Cloud services (e.g., Cloud Storage) cannot be created without enabling CMEK. It also prevents the removal of CMEK from existing resources.

B. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement. constraints/gcp.restrictNonCmekServices

B is correct

B is the correct answer https://cloud.google.com/kms/docs/cmek-org-policy#require-cmek

https://cloud.google.com/kms/docs/cmek-org-policy#require-cmek

B is the correct: https://cloud.google.com/kms/docs/cmek-org-policy#example-require-cmek-project

https://cloud.google.com/kms/docs/cmek-org-policy#require-cmek

D is the correct: Use this constraint by configuring a list of resource hierarchy indicators and setting the constraint to Allow. https://cloud.google.com/kms/docs/cmek-org-policy#project-constraint

B https://cloud.google.com/kms/docs/cmek-org-policy#require-cmek