Answer-first summary for fast verification
Answer: Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
The correct answer is A because it uses the Organization Policy Service with the compute.trustedImageProjects constraint at the organization level, explicitly allowing only the trusted project via a whitelist in an allow operation. This approach is secure, straightforward, and aligns with Google Cloud best practices for restricting image usage. Option B is incorrect as it uses a deny operation with exceptions, which is more complex and harder to manage as the organization grows. Options C and D are incorrect because they involve IAM roles (Compute Image User) in Resource Manager, which do not enforce organization-wide restrictions on image sources for boot disks; they only grant permissions to use images, not limit which images can be used.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You need to restrict the source images that can be used to create boot disks. These approved images are located in a dedicated project. What should you do?
A
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted project as the whitelist in an allow operation.
B
Use the Organization Policy Service to create a compute.trustedimageProjects constraint on the organization level. List the trusted projects as the exceptions in a deny operation.
C
In Resource Manager, edit the project permissions for the trusted project. Add the organization as member with the role: Compute Image User.
D
In Resource Manager, edit the organization permissions. Add the project ID as member with the role: Compute Image User.
No comments yet.