Bird
Raised Fist0
GCPcloud~5 mins

Organization policies in GCP - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is an Organization Policy in Google Cloud?
An Organization Policy is a set of rules that helps control what resources can do in a Google Cloud organization. It acts like a family rulebook to keep things safe and organized.
Click to reveal answer
beginner
How does an Organization Policy affect projects and resources?
Organization Policies apply rules at the organization or folder level and automatically affect all projects and resources inside them, like setting house rules that everyone in the house must follow.
Click to reveal answer
beginner
What is a constraint in the context of Organization Policies?
A constraint is a specific rule you can set in an Organization Policy. For example, a constraint might say "No external IP addresses allowed" to keep resources private.
Click to reveal answer
intermediate
Can Organization Policies be overridden at lower levels like projects?
No, Organization Policies set at higher levels like the organization or folder cannot be overridden by projects. This ensures consistent enforcement of policies across all resources.
Click to reveal answer
intermediate
Why are Organization Policies important for cloud security and management?
They help enforce consistent rules across all resources, prevent risky actions, and make managing many projects easier, like having clear house rules that keep everyone safe and organized.
Click to reveal answer
What is the main purpose of an Organization Policy in Google Cloud?
ATo set rules that control resource behavior across an organization
BTo create virtual machines
CTo monitor network traffic
DTo manage billing accounts
Where can Organization Policies be applied in Google Cloud?
AOnly at the project level
BAt organization, folder, or project levels
COnly on individual resources
DOnly on billing accounts
What is a constraint in an Organization Policy?
AA specific rule that restricts resource behavior
BA type of virtual machine
CA billing limit
DA network firewall
Can a project override an Organization Policy set at the organization level?
AYes, always
BOnly during billing setup
COnly if the project owner agrees
DNo, organization-level policies cannot be overridden
Why should organizations use Organization Policies?
ATo increase cloud costs
BTo create more projects
CTo enforce consistent rules and improve security
DTo disable all resources
Explain what an Organization Policy is and how it helps manage resources in Google Cloud.
Think of it like setting house rules for all rooms and people inside.
You got /4 concepts.
    Describe what a constraint is in Organization Policies and give an example.
    Constraints are like specific rules in a rulebook.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the main purpose of an Organization Policy in Google Cloud?
      easy
      A. To set rules that apply to all projects in a company
      B. To create virtual machines automatically
      C. To monitor network traffic in real-time
      D. To manage billing accounts for users

      Solution

      1. Step 1: Understand the role of organization policies

        Organization policies define rules that apply across all projects and resources in a company to keep them safe and compliant.

      2. Step 2: Compare options with the purpose

        Only To set rules that apply to all projects in a company describes setting rules across all projects, which matches the purpose of organization policies.

      3. Final Answer:

        To set rules that apply to all projects in a company -> Option A

      4. Quick Check:

        Organization policies control rules = A [OK]
      Hint: Organization policies set company-wide rules, not individual tasks [OK]
      Common Mistakes:
      • Confusing organization policies with billing or monitoring
      • Thinking policies create resources automatically
      • Assuming policies manage user accounts directly
      2. Which of the following is the correct way to specify a constraint in an organization policy YAML file?
      easy
      A. constraint -> gcp.resourceLocations
      B. constraint = gcp.resourceLocations
      C. constraint: gcp.resourceLocations
      D. constraint() gcp.resourceLocations

      Solution

      1. Step 1: Recall YAML syntax for key-value pairs

        YAML uses colon (:) to assign values to keys, like key: value.

      2. Step 2: Identify correct constraint syntax

        constraint: gcp.resourceLocations uses constraint: gcp.resourceLocations, which is valid YAML syntax for specifying a constraint.

      3. Final Answer:

        constraint: gcp.resourceLocations -> Option C

      4. Quick Check:

        YAML key-value uses colon = C [OK]
      Hint: YAML uses colon for key-value pairs, not equals or arrows [OK]
      Common Mistakes:
      • Using equals sign (=) instead of colon (:)
      • Using arrows (->) or parentheses incorrectly
      • Confusing YAML with programming language syntax
      3. Given this organization policy snippet:
      constraint: constraints/compute.disableSerialPortAccess
listPolicy:
  deniedValues:
  - "true"

      What is the effect of this policy?
      medium
      A. It enables serial port access on all projects
      B. It allows serial port access on compute instances
      C. It disables all compute instances
      D. It denies serial port access on compute instances

      Solution

      1. Step 1: Understand the constraint meaning

        The constraint constraints/compute.disableSerialPortAccess controls serial port access on compute instances ("true" disables access, "false" allows it).

      2. Step 2: Interpret the deniedValues list

        Setting deniedValues: ["true"] denies the value "true", which disables serial port access on compute instances.

      3. Final Answer:

        It denies serial port access on compute instances -> Option D

      4. Quick Check:

        deny "true" disables access = A [OK]
      Hint: Denying 'true' disables serial port access [OK]
      Common Mistakes:
      • Thinking deniedValues means allowed values
      • Confusing serial port access with instance shutdown
      • Assuming the policy enables the feature
      4. You wrote this organization policy YAML:
      constraint: constraints/compute.disableSerialPortAccess
listPolicy:
  deniedValues:
    - true

      But it does not work as expected. What is the likely error?
      medium
      A. The constraint name is incorrect
      B. The denied value should be a string "true", not boolean true
      C. The listPolicy block is missing required fields
      D. YAML does not support lists under deniedValues

      Solution

      1. Step 1: Check the deniedValues data type

        Organization policies expect deniedValues as strings, so "true" must be quoted.

      2. Step 2: Identify the error cause

        Using unquoted true is boolean in YAML, causing the policy to fail or behave unexpectedly.

      3. Final Answer:

        The denied value should be a string "true", not boolean true -> Option B

      4. Quick Check:

        Denied values must be strings in YAML [OK]
      Hint: Always quote boolean values as strings in organization policies [OK]
      Common Mistakes:
      • Not quoting boolean values in YAML
      • Assuming constraint names are wrong without checking
      • Thinking lists are not allowed under deniedValues
      5. Your company wants to restrict all projects to only create resources in these regions: us-central1 and europe-west1. Which organization policy configuration achieves this?
      hard
      A. constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "us-central1" - "europe-west1"
      B. constraint: constraints/gcp.resourceLocations listPolicy: deniedValues: - "notin:us-central1" - "notin:europe-west1"
      C. constraint: constraints/gcp.resourceLocations listPolicy: deniedValues: - "us-central1" - "europe-west1"
      D. constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "in:us-central1" - "in:europe-west1"

      Solution

      1. Step 1: Understand the constraint for resource locations

        The constraints/gcp.resourceLocations controls allowed regions for resource creation.

      2. Step 2: Identify correct allowedValues format

        Allowed values should list region names as strings without prefixes like "in:"; constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "us-central1" - "europe-west1" correctly lists "us-central1" and "europe-west1".

      3. Step 3: Eliminate incorrect options

        The configuration with "in:us-central1" uses invalid prefixes. Configurations using deniedValues do not restrict to only those regions: one attempts to deny outside the regions (wrong syntax and logic), the other denies the desired regions (allowing others).

      4. Final Answer:

        constraint: constraints/gcp.resourceLocations listPolicy: allowedValues: - "us-central1" - "europe-west1" -> Option A

      5. Quick Check:

        AllowedValues list regions as strings without prefixes = D [OK]
      Hint: AllowedValues list regions as plain strings, no prefixes [OK]
      Common Mistakes:
      • Using prefixes like 'in:' in allowedValues
      • Using deniedValues instead of allowedValues
      • Misunderstanding constraint syntax for regions