The requirements are a combination of preventative and detective controls (prevent and detect misconfigurations) applied at the Folder level to meet both industry-specific (predefined standards) and internal/custom policies. The dedicated Google Cloud feature for this is Security Posture Management in Security Command Center (SCC).
Postures and Enforcement: A Security Posture is a feature within SCC Premium/Enterprise that allows you to define, deploy, and monitor the security status of your cloud assets. You can deploy postures at the organization, folder, or project level to enforce standards.
Custom and Predefined Policies: A posture combines both:
Predefined Policies: Using Security Health Analytics (SHA) detectors and mapped standards (like CIS, ISO 27001, PCI DSS) covers the industry-specific compliance requirements (detection).
Custom Policies: Using custom Organization Policy constraints and custom SHA modules allows you to enforce and detect your internal company policies (prevention and detection).
Extracts:
"In Google Cloud, you can use the security posture service in Security Command Center to define and deploy a security posture, monitor the security status of your Google Cloud resources..." (Source 2.3)
"You can deploy postures at the organization level, folder level, or project level." (Source 2.3)
"The security posture service includes the following components: Posture. One or more policy sets that enforce the preventative and detective controls that your organization requires to meet its security standard... Supported policies are the following: Organization Policy constraints, including custom constraints [Preventative]. Security Health Analytics detectors, including custom modules [Detective]." (Source 2.3, 8.2)
Option C correctly identifies the comprehensive solution for both prevention and detection using a Posture file, which supports custom and predefined policies enforced at the required scope (folder).
Submit