Question-58:Your company has just recently activated Cloud Identity to manage users. The Google Cloud Organization has been configured as well. The security team needs to secure projects that will be part of the Organization. They want to prohibit IAM users outside the domain from gaining permissions from now on. What should they do?
A. Establish a policy for the organization that will restrict identities based on domain.
B. Create a policy that prevents new service accounts from being created within your organization.
C. Set up Cloud Scheduler so that it activates a Cloud Function every hour that deletes all users from projects who aren't part of the Cloud Identity domain.
D. Establish a technical user (for example, [email protected]), and then assign that user the role of project owner at the root organisation level. Create a bash script that does the following: Lists all of the IAM rules that apply to each and every project in the organization. Deletes any and all users that are not associated with the company domain. Establish a Compute Engine instance inside of an existing project belonging to the Organization, and set up gcloud so that it will be run with the credentials of a technical user. Create a cron job that runs the bash script every hour and configure it to do so.
Correct Answer
Get All 340 Questions and Answer for Google Professional Cloud Architect
: 1 Explanation: A domain restriction constraint is made available by the Resource Manager, and it may be included into organisational rules to restrict resource sharing depending on domain. With the help of this constraint, you'll be able to place limits on the kinds of identities that are acceptable for usage in IAM rules. This limitation may be used by organization rules to restrict resource sharing to a predetermined grouping of one or more Google Workspace domains; however, exceptions can be made on a per-folder or per-project basis if necessary. Please refer to the article titled Override the organization policy for a project for more information on creating exceptions. The limitation on the domain's constraint is not applied retroactively. Once a domain restriction has been applied, this limitation will only apply to changes in IAM policy made from that point forward, and will not apply to any modifications made in the past. Any changes made to an IAM policy will be subject to the domain limitation constraint, even if those modifications were made in reaction to another action by a service agent. For instance, if you have an automated service that imports BigQuery datasets, a BigQuery service agent will modify the IAM policy for the newly produced dataset once it has been imported. Since of the domain restriction limitation, this action cannot be performed because it is limited. Take, for instance, two businesses in the same industry, such as examplepetstore.com and altostrat.com. You have delegated an identity from examplepetstore.com to an altostrat.com role in the IAM system. After some time, you came to the conclusion that you wanted to limit user access based on their domain, therefore you created an organization policy with a domain restriction constraint that applied to altostrat.com. Existing identities at examplepetstore.com would not lose access to altostrat.com if this scenario were to play out. After that point, you would be able to award IAM roles to users whose identities originated from the altostrat.com domain exclusively.