You need to ensure all VMs in your Google Cloud organization can only use a specific, security-hardened OS image stored in a project managed by the security team, while minimizing operational overhead. What should you do? (Choose two.)

Exam-Like

Grant users the compute.imageUser role in their own projects.

Grant users the compute.imageUser role in the OS image project.

Store the image in every project that is spun up in your organization.

Set up an image access organization policy constraint, and list the security team managed project in the project's allow list.

Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.

Google Professional Cloud Security Engineer