Google Professional Cloud Security Engineer Exam - Topic 2 Question 115 Discussion

The problem states that the organization is using Model Garden and needs to ensure users can only access approved models This implies a need for a central, enforceable control mechanism

Organization Policies and Constraints: Google Cloud Organization Policy Service allows administrators to centrally control resources across an organization Constraints are specific types of restrictions that can be applied For AI Platform (which includes Vertex AI and Model Garden), there are specific constraints designed to control model usage

vertexaiallowedModels Constraint: This specific organization policy constraint is designed precisely to restrict which models can be used within a given organization, folder, or project It provides a centralized way to define a list of approved models that users are allowed to accessExtract Reference: 'The vertexaiallowedModels constraint allows you to specify a list of model URIs that are allowed to be used within the resource hierarchy' and 'This constraint helps organizations enforce compliance and control which models are consumed by their users' (Google Cloud documentation, typically found under Organization Policy Service constraints for Vertex AI or AI Platform)

Let's evaluate the other options:

A Configure IAM permissions on individual Model Garden to restrict access to specific models: IAM (Identity and Access Management) typically grants permissions at a broader resource level (eg, project, dataset, model resource) While you can control who can manage models, directly restricting access to specific models within Model Garden for consumption via IAM roles on individual models is not the primary mechanism for enforcing a list of approved models across an organization in a preventative way Organization policies are designed for this kind of broad, preventative control

B Regularly audit user activity logs in Vertex AI to identify and revoke access to unapproved models: Auditing logs is a reactive measure While important for monitoring and detecting violations, it does not prevent users from accessing unapproved models in the first place The requirement is to ensure they can only access approved models, implying a proactive control

C Train custom models within your Vertex AI project and restrict user access to these models: This is about managing access to custom-trained models, not about controlling access to the collection of models in Model Garden, which often includes pre-trained or publicly available models that need to be whitelisted It doesn't address the requirement of ensuring users only access approved models from the broader Model Garden collection