Answer-first summary for fast verification
Answer: • organization policy: con-straints/gcp.restrictNonCmekServices • binding at: org1 • policy type: deny • policy value: storage.googleapis.com
The correct answer is B because it uses the proper organization policy constraint 'constraints/gcp.restrictNonCmekServices' with a 'deny' policy type and specifies 'storage.googleapis.com' as the service to enforce CMEK. This configuration prevents the creation of new Cloud Storage buckets without CMEK protection, aligning with the requirement to enforce CMEK for all new Cloud Storage resources. Option A is incorrect as it uses an 'allow' policy type, which does not enforce CMEK. Option C is invalid because 'constraints/gcp.restrictStorageNonCmekServices' is not a recognized Google Cloud policy constraint. Option D is incorrect due to the 'allow' policy type, which fails to enforce CMEK. The community discussion, with 91% consensus and references to Google documentation, strongly supports B as the correct choice.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your company must comply with industry-specific regulations, requiring you to enforce customer-managed encryption keys (CMEK) for all new Cloud Storage buckets in the organization named 'org1'.
What command should you run?
A
• organization poli-cy:constraints/gcp.restrictStorageNonCmekServices • binding at: org1 • policy type: allow • policy value: all supported services
B
• organization policy: con-straints/gcp.restrictNonCmekServices • binding at: org1 • policy type: deny • policy value: storage.googleapis.com
C
• organization policy: con-straints/gcp.restrictStorageNonCmekServices • binding at: org1 • policy type: deny • policy value: storage.googleapis.com
D
• organization policy: con-straints/gcp.restrictNonCmekServices • binding at: org1 • policy type: allow • policy value: storage.googleapis.com
No comments yet.