Answer-first summary for fast verification
Answer: Enable the compute.restrictXpnProjectLienRemoval organization policy constraint.
The correct solution to restrict Shared VPC project deletion to those with the resourcemanager.projects.updateLiens permission at the organization level is to enable the compute.restrictXpnProjectLienRemoval organization policy constraint. This policy constraint specifically prevents the removal of project liens unless the user has the necessary permissions at the organization level, thereby safeguarding the Shared VPC project from accidental deletion. Option A suggests managing IAM permissions with Terraform, which does not directly address the requirement of restricting project deletion. Option B, enabling VPC Service Controls for the container.googleapis.com API service, is unrelated to the issue of project deletion. Option C, revoking the resourcemanager.projects.updateLiens permission from all users, would prevent anyone from updating liens, which is not the desired outcome as it would block legitimate updates.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
To prevent accidental deletion of the Shared VPC project, you need to ensure only users with the resourcemanager.projects.updateLiens permission at the organization level can remove the lien and delete the project. What steps should you take to implement this restriction?
A
Instruct teams to only perform IAM permission management as code with Terraform.
B
Enable VPC Service Controls for the container.googleapis.com API service.
C
Revoke the resourcemanager.projects.updateLiens permission from all users associated with the project.
D
Enable the compute.restrictXpnProjectLienRemoval organization policy constraint.
No comments yet.