Your company has just recently activated Cloud Identity to manage users. The Google Cloud Organization has been configured as well. The security team needs to secure projects that will be part of the Organization. They want to prohibit IAM users outside the domain from gaining permissions from now on. What should they do?
Choose an answer
Tap an option to check your answer.
Correct answer: Configure an organization policy to restrict identities by domain..
Why this is the answer
The correct answer is to configure an organization policy to restrict identities by domain. Organization policies are a powerful way to enforce constraints across all projects within an organization. The constraints/iam.allowedPolicyMemberDomains constraint specifically prevents IAM policies from including members outside of specified domains, ensuring only authorized users can gain permissions. Blocking service account creation is incorrect because service accounts are essential for many Google Cloud services and are distinct from user identities. Using a Cloud Function or a Compute Engine instance with a custom script is an overly complex and reactive approach. It would require continuous monitoring and remediation, which is less efficient and secure than proactively preventing unauthorized access through an organization policy. These manual or programmatic solutions are also prone to errors and might have a delay in enforcement, leaving a window for unauthorized access.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed