Answer-first summary for fast verification
Answer: Grant users the compute.imageUser role in the OS image project., Set up an image access organization policy constraint, and list the security team managed project in the project's allow list.
The correct answers are B and D. Option B (Grant users the compute.imageUser role in the OS image project) is necessary because it allows users across the organization to access and use the hardened OS image from the central security team's project without requiring the image to be duplicated. Option D (Set up an image access organization policy constraint, and list the security team managed project in the project's allow list) ensures that only images from the trusted security team project can be used for VM creation, enforcing the requirement that all VMs use only the specific hardened OS image. This combination minimizes operational overhead by centralizing image management and restricting access through organization policies. Option A is inefficient as it requires managing permissions in every user project. Option C increases overhead by duplicating the image across all projects. Option E is overly restrictive and does not specifically enforce the use of the hardened image.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You need to ensure all VMs in your Google Cloud organization can only use a specific, security-hardened OS image stored in a project managed by the security team, while minimizing operational overhead. What should you do? (Choose two.)
A
Grant users the compute.imageUser role in their own projects.
B
Grant users the compute.imageUser role in the OS image project.
C
Store the image in every project that is spun up in your organization.
D
Set up an image access organization policy constraint, and list the security team managed project in the project's allow list.
E
Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.
No comments yet.