🔥 3-day streak
Professional Cloud Security Engineer86 / 152
Question 86 of 152

Your organization has thousands of projects and a broad set of principals who hold roles that include storage.buckets.delete and compute.instances.delete permissions through various inherited and directly-granted IAM roles. Security leadership mandates that no principal — regardless of any role grant, including at the project level — may delete Cloud Storage buckets across the entire organization, except for a break-glass group named org-admins@example.com. You want a centrally enforced control that overrides existing allow grants without editing every role or policy. What should you do?

Reviewed for accuracy · Report an issueNext question