Explanation:
The correct answer is A because it uses the Organization Policy Service with the compute.trustedImageProjects constraint at the organization level, explicitly allowing only the trusted project via a whitelist in an allow operation. This approach is secure, straightforward, and aligns with Google Cloud best practices for restricting image usage. Option B is incorrect as it uses a deny operation with exceptions, which is more complex and harder to manage as the organization grows. Options C and D are incorrect because they involve IAM roles (Compute Image User) in Resource Manager, which do not enforce organization-wide restrictions on image sources for boot disks; they only grant permissions to use images, not limit which images can be used.
Ultimate access to all questions.
You need to restrict the source images that can be used to create boot disks. These approved images are located in a dedicated project. What should you do?
A
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
B
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
C
In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
D
In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
No comments yet.