You have set the constraint constraints/compute.disableSerialPortAccess to ENFORCED at the organization level in Google Cloud. What is the expected behavior for all VM instances in projects under this organization?
Think about how organization policies enforce constraints across all projects and resources.
Organization policies with constraints set to ENFORCED apply to all resources under the organization and cannot be overridden at lower levels. Therefore, serial port access is disabled for all VM instances regardless of project or instance settings.
You want to restrict all projects in your organization to create resources only in the us-central1 and us-east1 regions. Which organization policy constraint should you apply, and where should it be set?
Consider which constraint controls resource location restrictions and the scope of enforcement.
The constraints/gcp.resourceLocations constraint controls where resources can be created. Setting it at the organization level restricts all projects under it. The constraints/compute.allowedRegions constraint does not exist.
An organization policy is set to constraints/iam.disableServiceAccountKeyCreation with ENFORCED at the folder level. What will happen if a user tries to create a new service account key in a project under that folder?
Think about how organization policies propagate and enforce security constraints.
The constraints/iam.disableServiceAccountKeyCreation constraint set to ENFORCED at the folder level blocks all service account key creation in projects under that folder, regardless of user roles.
An organization policy constraints/compute.vmExternalIpAccess is set to ENFORCED at the organization level to deny external IPs on VMs. However, at a specific project, the same constraint is set to NOT_ENFORCED. What is the effective behavior for VM instances in that project?
Consider the hierarchy and precedence of organization policies.
Organization policies set at higher levels (organization) override conflicting policies at lower levels (project). Therefore, the ENFORCED deny on external IPs at the organization level takes precedence.
Your company has multiple teams managing projects under a single organization. You want to enforce a policy that restricts VM instance machine types to a predefined list but allow teams to add more machine types if needed. What is the best way to implement this using organization policies?
Think about how organization policies enforce constraints and how exceptions can be managed.
Organization policies do not support additive overrides for allowed values. To maintain control and security, set the allowed machine types at the organization level and require teams to request changes through a central admin who updates the policy. This ensures consistent enforcement and auditability.