Exam Professional Cloud Security Engineer topic 1 question 127 discussion

Answer is (B). This boolean constraint restricts the set of users that can remove a Shared VPC project lien without organization-level permission where this constraint is set to True. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints

B is the answer. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#constraints-for-specific-services - constraints/compute.restrictXpnProjectLienRemoval - Restrict shared VPC project lien removal This boolean constraint restricts the set of users that can remove a Shared VPC host project lien without organization-level permission where this constraint is set to True. By default, any user with the permission to update liens can remove a Shared VPC host project lien. Enforcing this constraint requires that permission be granted at the organization level.

To prevent users from accidentally deleting a Shared VPC host project, you should enable the compute.restrictXpnProjectLienRemoval organization-level policy constraint . This policy constraint limits IAM principals who can remove the lien that prevents deletion of host projects . By default, a project owner can remove a lien from a project, including a Shared VPC host project, unless an organization-level policy is defined to limit lien removal . Therefore, option B is the correct answer.

"B" GCP Shared VPC is formerly known as Google Cross-Project Networking (XPN) and still referred to as "XPN" in the API. References: https://cloud.google.com/vpc/docs/shared-vpc https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#constraints-for-specific-services

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints