Home › GCP Associate Cloud Engineer › cloudcomputing › gcpsetup › Which mechanism on Google Cloud lets a central a…
Which mechanism on Google Cloud lets a central admin enforce a rule like "no externally accessible IPs on Compute Engine VMs" across every project in the organization?
ACloud DNS record sets
BOrganization policies (with constraints applied at Organization/Folder/Project)
CCompute Engine startup scripts
DCloud Storage bucket labels
Answer & Solution
Correct answer: B. Organization policies (with constraints applied at Organization/Folder/Project)
Organization policies let admins set constraints (e.g. `compute.vmExternalIpAccess`) at Organization, Folder, or Project scope; lower levels inherit and can be denied from overriding. Startup scripts, labels, and DNS records can't enforce that policy across the org.
Related questions
An organization wants every project in a specific folder to automatically inherit a policyWhich approach correctly captures Google Cloud's quota model for compute resources?Which IAM role type lets you define the exact list of permissions you want, instead of relA team wants to grant a contractor read-only access to a single Cloud Storage bucket and nCloud Identity vs Google Workspace — which statement is correct?A new application needs to call the BigQuery and Cloud Storage APIs in a project. The APIsWhich Google Cloud principal type is meant to authenticate workloads (e.g. a Compute EnginWhich Google Cloud Identity and Access Management (IAM) concept defines a SET of permissio