Common cloud cross-exam termsGCP infrastructureSecurity and operationsIntermediate25 min read

What Is Resource hierarchy? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Resource hierarchy is a way cloud platforms organize resources like virtual machines, storage buckets, and databases into a tree-like structure. At the top, you have the organization or root node, then folders or projects, and finally the individual resources themselves. Policies and permissions set at a higher level automatically apply to everything underneath, which simplifies management. This structure helps teams keep their cloud environments secure, organized, and easy to audit.

Commonly Confused With

Resource hierarchyvsResource tagging

Resource tagging is a way to attach metadata labels to resources, such as 'environment: production' or 'owner: finance'. While tags can be used to organize resources and apply policies, they do not create a hierarchical relationship. Tags are flat key-value pairs, whereas the resource hierarchy defines parent-child relationships that enforce policy inheritance. You can have tags on resources in different folders, but the hierarchy itself determines how policies flow down.

A resource with a tag 'environment: dev' can still be in the Finance folder and inherit all Finance folder policies, regardless of the tag. The tag does not change the inheritance path.

Resource hierarchyvsIAM roles

IAM roles are sets of permissions that define what actions a user or service account can perform. IAM roles are assigned at a specific level in the resource hierarchy, such as organization, folder, project, or resource. The resource hierarchy is the structure that determines where roles are applied and how they are inherited. Confusing the two leads to mistakes in policy design.

Assigning the IAM role of Compute Admin at the project level gives permissions only for that project. Assigning it at the folder level gives permissions for all projects in that folder. The hierarchy level matters.

Resource hierarchyvsOrganization policy constraints

Organization policy constraints are rules that restrict the configuration of resources, such as requiring a specific location or disabling public access. They are separate from IAM roles, which determine who can perform actions. Both are applied via the hierarchy, but constraints are enforced by the resource provider itself, not by the identity system. A user might have the IAM role to create a bucket, but if an organization policy restricts bucket location, the creation will fail.

A user with Storage Admin can create a bucket, but if the organization policy only allows us-central1, and they try us-east1, the action is denied even though the IAM role permits it.

Must Know for Exams

The resource hierarchy is a fundamental concept tested in multiple cloud certification exams, especially those from Google Cloud and AWS. In the Google Cloud Associate Cloud Engineer exam, you are expected to understand how to create and manage projects, folders, and organization nodes. You will encounter questions about policy inheritance, such as what happens when a policy is set at the folder level versus the project level. You also need to know how to use organization policies to enforce constraints like resource location or service availability.

In the Google Cloud Professional Cloud Architect exam, the resource hierarchy is even more critical. You are asked to design a cloud architecture that meets business requirements including security, compliance, and cost management. Questions often present a scenario where a company has multiple teams, each with different access needs. You must choose the correct hierarchy structure, such as whether to use folders for departments and projects for environments, and then apply the appropriate IAM roles and organization policies. Understanding inheritance and the evaluation order of deny policies is key to answering these questions correctly.

For AWS certifications, the equivalent concept is AWS Organizations with organizational units (OUs) and service control policies (SCPs). In the AWS Certified Solutions Architect exams, you will see questions about how SCPs work, how they differ from IAM policies, and how they cascade through the hierarchy. For example, an SCP applied to an OU will affect all accounts within that OU. You need to know that SCPs do not grant permissions; they act as a filter that limits what IAM policies can grant. This is a common point of confusion.

In the Azure world, the resource hierarchy involves management groups, subscriptions, and resource groups. Azure exams like AZ-104 and AZ-305 test your ability to design a management group hierarchy for different departments, apply Azure Policy at the management group level, and understand how RBAC roles propagate. Questions may ask you to ensure that a policy applies to all subscriptions in a department but not to others.

Regardless of the platform, exam questions often include scenarios where a developer or team has too much access because the hierarchy was not properly designed. The correct answer usually involves restructuring the hierarchy to enforce least privilege. Another common question pattern asks about the effect of moving a resource between projects or folders, and how that changes the policies that apply. You must understand that moving a resource changes its parent, so its inherited policies change accordingly. This can inadvertently grant or revoke access, which is a classic exam trap.

Simple Meaning

Imagine you are building a large company that owns several buildings. Each building has multiple floors, and each floor has many offices. You need to decide who can enter which offices, and you want to make sure that rules about security, cleaning, and maintenance are followed consistently. You could write separate rules for every single office, but that would be a nightmare to manage. Instead, you set rules at the building level, and those rules automatically apply to every floor and office inside that building. If you want to add a special rule for just one floor, you can do that, but it cannot override the building's main rules.

In cloud computing, the resource hierarchy works exactly like this. The top level is the organization or root account. Below that, you might have folders for different departments, like Engineering, Marketing, and Finance. Inside each folder, you have projects or resource groups. Inside those, you have the actual cloud resources: virtual machines, storage buckets, databases, and so on.

When you set a permission or a policy at the organization level, it flows down and applies to everything underneath. For instance, if you want to ensure that no one can delete logs, you set a policy at the top. That policy automatically protects logs in every project. If you later create a new project, it inherits that same protection. This prevents mistakes and saves a huge amount of administrative work. It also makes it clear who owns what, which is critical for audits and compliance. Without a resource hierarchy, you would have to configure permissions for every single resource individually, which is error-prone and nearly impossible to manage at scale.

Full Technical Definition

Resource hierarchy is a core structural concept in cloud platforms such as Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure. It defines a tree-like arrangement of entities ranging from the organization node down to individual resources. In GCP, the hierarchy consists of the Organization node at the top, followed by Folders, then Projects, and finally Resources. In AWS, the hierarchy is implemented through Organizations with management accounts, organizational units (OUs), and accounts, with services like AWS Identity and Access Management (IAM) applying policies at each level. Azure uses management groups, subscriptions, resource groups, and resources.

At the top of the GCP hierarchy is the Organization node, which represents the company or enterprise. It is linked to a Google Workspace or Cloud Identity domain. Below the Organization, you can create Folders, which are containers for projects. Folders can be nested, allowing deep hierarchical structures that mirror an organization's departmental structure. For example, a folder for Engineering can contain sub-folders for Product Development and Infrastructure. Each folder can have IAM policies attached, and those policies are inherited by all projects and resources within that folder.

Below folders are Projects. Projects are the fundamental unit of resource organization in GCP. Every resource must belong to exactly one project. Projects act as boundaries for billing, APIs, and permissions. IAM policies set at the project level apply to all resources within that project. Finally, at the bottom are the individual Resources, such as Compute Engine instances, Cloud Storage buckets, or BigQuery datasets.

A critical technical aspect of the resource hierarchy is policy inheritance. Policies, including IAM roles and organization policies, are inherited from parent to child. A policy set at the Organization level applies to all folders, projects, and resources. A policy set at a folder level applies to all projects and resources within that folder, but not to sibling folders. This inheritance is additive and cannot be bypassed by child entities. However, deny policies can be set to explicitly block inheritance for specific permissions, providing granular control.

The resource hierarchy also supports organization policies, which constrain how resources can be configured. For example, an organization policy might restrict the location where resources can be created or enforce that all storage buckets must be encrypted with customer-managed keys. These policies are enforced at the hierarchy level and cannot be overridden at the project or resource level unless explicitly allowed by the policy structure.

Understanding the resource hierarchy is essential for designing secure, scalable, and auditable cloud environments. It directly impacts how access controls, compliance requirements, and cost tracking are implemented. In exams like the Google Cloud Associate Cloud Engineer and Professional Cloud Architect, questions about policy inheritance and hierarchy design are common. In AWS exams, similar concepts appear under AWS Organizations and IAM policy evaluation logic.

Real-Life Example

Think of a large hospital with multiple departments: Cardiology, Neurology, Emergency, and Administration. The hospital has a central administration office that sets rules for the entire building, such as visiting hours, security protocols, and hygiene standards. These rules apply to every department automatically. Now, each department has its own manager who can add department-specific rules, like which staff can access certain patient records or which equipment can be used. However, the department rules cannot break the hospital-wide rules. For example, the hospital says no smoking anywhere, and the Cardiology department cannot allow smoking in its wing.

Within each department, there are units or floors. The Neurology department might have a pediatric unit and an adult unit. The department manager can assign different access levels for each unit. For instance, only pediatric nurses can enter the pediatric unit. These unit-level rules are inherited from the department rules, which in turn inherit from the hospital rules. If the hospital later decides to require badge access for all doors after 8 PM, that rule applies everywhere without needing to update each unit.

In the cloud, the hospital is your organization. The departments are folders, the units are projects, and the individual rooms are resources like virtual machines. The hospital-wide rules are organization policies. Department rules are folder-level IAM policies. Unit rules are project-level policies. If you set a policy that all resources must be in the US region, that applies to everything. This hierarchy makes it possible to manage thousands of resources with a few clicks, ensuring consistency and security across the entire environment. It also makes it easy to audit who has access to what, because you can check policies at each level and see exactly how they flow down.

Why This Term Matters

In any real-world cloud deployment, you will have dozens, hundreds, or even thousands of cloud resources. Managing permissions and policies for each resource individually is not only impractical but also dangerous. If a single resource is misconfigured, it can lead to a data breach, unexpected costs, or downtime. The resource hierarchy solves this by allowing you to manage policies at a high level and have them automatically apply to all underlying resources. This dramatically reduces the number of configuration points and the chance of human error.

From a security perspective, the hierarchy is crucial for enforcing the principle of least privilege. You can grant broad permissions to a team at the folder level, and then restrict specific permissions at the project level. For example, you might give a development team full access to a development folder, but only read-only access to the production folder. This separation is enforced by the hierarchy, making it impossible for a developer to accidentally modify production resources.

From an operational standpoint, the hierarchy simplifies cost tracking and resource management. Cloud providers offer billing reports that aggregate costs by folder or project. This allows finance teams to see exactly how much each department is spending. Similarly, resource naming and tagging policies can be enforced at the folder level, ensuring consistency across all projects.

Compliance is another major reason why the hierarchy matters. Regulations like GDPR or HIPAA require strict controls over data location, encryption, and access. Organization policies can enforce these controls globally. For example, you can set a policy that all Cloud Storage buckets must have encryption enabled, or that no resource can be created outside of the European Union. This ensures compliance without relying on individual developers to remember the rules.

the resource hierarchy is the backbone of cloud governance. It enables centralized control, reduces complexity, and provides a clear structure for managing access and policies at scale. Without it, managing a large cloud environment would be chaotic and insecure.

How It Appears in Exam Questions

Questions about the resource hierarchy appear in several common patterns. One pattern is scenario-based. For example, a company has a central IT team that needs full access to all resources, and development teams that need access only to their own projects. The question asks which configuration best meets these requirements. The correct answer would involve placing the IT team's IAM policy at the organization or folder level, and development teams at the project level, with appropriate deny policies to prevent cross-project access.

Another pattern is inheritance and override. A question might state that an organization policy prevents the creation of resources outside the US, but a project in Europe was created and then moved to a different folder. The question asks whether resources can now be created in Europe. The answer is no, because the organization policy still applies regardless of folder placement. You need to know that organization policies are inherited and cannot be overridden by lower levels unless the policy itself allows exceptions.

Troubleshooting questions also appear. For instance, a user reports that they cannot delete a storage bucket, even though they have the Storage Admin role on the project. The issue is that a deny policy at the organization level explicitly denies the storage.buckets.delete permission. The question tests whether you can trace the deny policy back through the hierarchy and identify the correct level where the deny is applied.

There are also configuration questions where you are asked to create a folder structure for a company with multiple business units. You must determine the correct parent-child relationships and where to assign certain IAM roles. For example, you might need to create folders for Sales and Marketing, and then create projects under each for different applications. The question might ask where to assign the role of Project Creator so that users in Marketing can create their own projects but not affect Sales. The correct answer is to assign the role at the Marketing folder level, not the organization level.

Finally, some questions focus on the limitations of the hierarchy. For example, a question might ask what happens when you remove a user from a folder-level role but they still have access to a project within that folder. You must realize that the user might have a direct role on the project, which is separate from the inherited role. The hierarchy does not override direct assignments; it only adds to them. Understanding this additive nature is critical for exam success.

Practise Resource hierarchy Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are the cloud administrator for a company called HealthTech Inc. The company has three departments: Research, Clinical Trials, and Finance. Each department uses a cloud project for its applications. The Research department has a project for data analysis, Clinical Trials has a project for patient enrollment, and Finance has a project for billing. The CEO wants to ensure that the Finance project is highly secure and that only the finance team can access it. The company has a policy that all resources must be stored in the United States for compliance reasons.

You decide to use the resource hierarchy to enforce these requirements. First, you create an organization node for HealthTech Inc. At the organization level, you set an organization policy that restricts all resource creation to the us-central1 region. This policy automatically applies to every folder and project underneath, so no one can accidentally spin up a resource in Europe or Asia.

Next, you create three folders under the organization: Research, Clinical Trials, and Finance. You move each department's existing project into its respective folder. For the Finance folder, you assign the IAM role of Finance Admin (a custom role) at the folder level, granting full access to the finance team members. You also add a deny policy at the Finance folder that explicitly prevents anyone outside the finance team from accessing resources within that folder. This deny policy is inherited by the Finance billing project, making it impossible for researchers or clinical staff to access financial data.

Now, if a researcher tries to create a new project, they can do so under the Research folder. The organization policy still restricts the region, but the researcher has full control within their own project. If a new developer joins the Clinical Trials team, you simply add them to the Clinical Trials folder's IAM policy, and they automatically get access to all projects in that folder.

Later, the finance team asks for a new project for auditing. You create a new project inside the Finance folder without any additional IAM changes. The new project automatically inherits the deny policy and the region restriction, so it is secure from the start. This hierarchy saves you from having to configure permissions every single time, and it ensures consistency across all resources.

Common Mistakes

Assuming that policies set at a lower level can override policies set at a higher level.

In cloud resource hierarchies, inheritance is additive. Higher-level policies (like those at the organization or folder level) cannot be overridden by lower-level policies. A deny policy at the top level will always block access, even if a lower-level policy grants it.

Always design your hierarchy so that the most restrictive policies are placed at the highest level possible. Use lower levels only to grant additional permissions that do not conflict with higher-level denys.

Placing all users and resources in a single project without using folders.

Without a hierarchy, you lose the ability to apply policies consistently across teams. Every policy must be applied to each project individually, increasing administrative overhead and the risk of misconfiguration.

Use folders to group related projects, and apply IAM policies and organization policies at the folder level. This makes management scalable and reduces errors.

Confusing the effect of moving a resource between projects or folders on its inherited policies.

Moving a resource changes its parent in the hierarchy. The resource will lose the policies inherited from its old parent and gain the policies of its new parent. This can unexpectedly grant or revoke access.

Before moving any resource, carefully review the IAM policies and organization policies of the destination folder or project. Use the 'get-iam-policy' command to simulate the policy set after the move.

Thinking that IAM roles applied at the project level automatically apply to resources in other projects within the same folder.

IAM roles are not transitive across sibling projects. A role granted at the project level only applies to that specific project. To affect multiple projects, the role must be assigned at the folder or organization level.

To grant access to all projects in a folder, assign the role at the folder level, not at the project level.

Overlooking that organization policies (like constraints) are separate from IAM policies and have different inheritance rules.

Organization policies can have specific behavior depending on whether they are list constraints, boolean constraints, or deny policies. Some organization policies can be overridden at lower levels if the policy is configured to allow exemptions.

Read the documentation for each organization policy type carefully. In exams, always check whether the policy description mentions 'overridable' or 'allow exceptions' before assuming it is absolute.

Exam Trap — Don't Get Fooled

{"trap":"A question shows that a user has a role at the project level that grants delete permission on a resource, but a deny policy at the folder level denies the same action. The user cannot delete the resource. The question asks why, and the options include 'the user lacks the role at the folder level' or 'the user must also have the role at the organization level'."

,"why_learners_choose_it":"Learners often think that because permissions are additive, having a grant at a lower level should override a deny at a higher level. They also may think that a deny is only effective if it is applied at the same level as the grant. This misunderstanding comes from confusing IAM policy evaluation with routing or inheritance in traditional IT."

,"how_to_avoid_it":"Remember that in cloud platforms, deny policies always take precedence over allow policies, regardless of the hierarchy level. This is called 'deny by default' in GCP and 'explicit deny' in AWS. Always evaluate denies first.

If an explicit deny exists anywhere in the hierarchy, the action is blocked. The only exception is when a higher-level policy grants an override, which is extremely rare in exam scenarios."

Step-by-Step Breakdown

1

Identify the root or organization node

The top of the hierarchy is the organization node, which represents your entire enterprise. This node is typically linked to a domain like your company's Google Workspace or Cloud Identity. All other entities fall under this node. Setting policies here ensures they apply to everything.

2

Create folders to represent business units or departments

Folders are containers that group projects. They can be nested, allowing you to mirror your company's structure. For example, you might have a folder for Engineering, with sub-folders for Product Development and QA. Folders are optional but highly recommended for multi-project environments.

3

Assign IAM policies at the folder level

Once folders exist, you can attach IAM roles to them. A user who gets the Viewer role on a folder can see all projects and resources within that folder. This centralizes access management and reduces the need to assign roles on individual projects.

4

Create projects under the appropriate folders

Projects are the fundamental resource containers. Each project belongs to exactly one folder (or directly to the organization). When you create a project inside a folder, it automatically inherits all policies from the folder and above. This is where your actual cloud resources will live.

5

Apply organization policies to enforce constraints

Organization policies are rules like 'disable public access to storage' or 'restrict resource locations'. These are applied at the organization or folder level and override any lower-level settings. They ensure compliance without relying on individual user behavior.

6

Place individual resources within projects

Finally, you create resources like virtual machines, databases, or storage buckets inside the projects. Each resource inherits all policies from its project, folder, and organization. This ensures consistent governance across all resources.

7

Review and audit policy inheritance regularly

As teams change and projects move, you need to audit who has access to what. Use tools like Cloud Asset Inventory or IAM Recommender to view effective policies. Understand that moving a project to a different folder changes its inherited policies, so document all moves carefully.

Practical Mini-Lesson

In practice, the resource hierarchy is not just a theoretical concept. It is the foundation of every cloud governance strategy. When you first set up a cloud environment, you need to decide on the structure of your hierarchy. Many professionals start by creating a single organization node and then adding folders for each major business unit. For example, a company might have folders for Engineering, Sales, and HR. Within Engineering, there might be sub-folders for Development, Testing, and Production. This mirrors the real-world separation of duties.

Once the folders are in place, you create projects. Each project is a container for resources related to a specific application or service. For instance, the Development sub-folder might contain a project called 'dev-app-server' and another called 'dev-database'. The Production sub-folder might have 'prod-app-server' and 'prod-database'. The key is to keep the hierarchy as flat as possible while still reflecting organizational boundaries. Too many levels can become confusing, but too few can lead to overly broad permissions.

A common real-world challenge is managing the movement of projects. When a team reorganizes, projects might need to move from one folder to another. This is not a simple drag-and-drop operation; it changes the effective policies. Before moving a project, you must simulate what policies the project will inherit in the new location. You can do this by listing the IAM policies of the destination folder and checking organization policies that apply. In GCP, the gcloud command 'gcloud projects get-iam-policy' can help you verify. If the new folder has a deny policy that conflicts with the project's expected permissions, you need to adjust either the project or the folder policy before moving.

Another practical consideration is using service accounts with the resource hierarchy. Service accounts are identities used by applications. They can be granted roles at various levels. A common mistake is to grant a service account too broad a role at the organization level. For example, granting a service account the Editor role on the organization allows it to modify any resource. Instead, grant the service account only the specific roles it needs at the folder or project level. This follows least privilege.

Cost management also ties into the hierarchy. Cloud providers allow you to set budgets and alerts at the project or folder level. You can track spending per department by analyzing costs at the folder level. This helps in allocating costs accurately to different teams.

Finally, automation is a huge benefit. Tools like Terraform and Deployment Manager allow you to define your entire resource hierarchy as code. You can version-control your folder structure, project configurations, and IAM policies. This makes it reproducible and auditable. When a new team needs a dedicated environment, you can deploy a new folder and project from your configuration repository in minutes, and security policies are automatically applied. This is how large enterprises manage thousands of resources consistently.

Memory Tip

Think of the resource hierarchy as a family tree: grandparents (organization) set the house rules, parents (folders) add family rules, and children (projects) inherit everything, but can also have their own room rules as long as they don't break house rules.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can I have a resource hierarchy without using folders?

Yes, you can place projects directly under the organization node without using folders. However, this makes policy management harder because you cannot apply policies to a group of related projects at once. Folders are recommended for any environment with more than a few projects.

When you move a project, it loses all policies inherited from the old folder and gains the policies inherited from the new folder. Policies that were directly set on the project itself remain unchanged. Always audit the new folder's policies before moving a project.

When you move a project, it loses all policies inherited from the old folder and gains the policies inherited from the new folder. Policies that were directly set on the project itself remain unchanged. Always audit the new folder's policies before moving a project.

Can a user have permissions at the organization level but not at the project level?

Yes. If a user has a role at the organization level, that role applies to all resources in the organization, including all projects. So they effectively have that permission everywhere. However, if a deny policy exists at a lower level, it can block them despite the organization-level grant.

What is the difference between an organization policy and an IAM policy?

An IAM policy controls who can do what on a resource (permissions). An organization policy controls what configurations are allowed on resources (constraints). Both are inherited through the hierarchy, but they work independently. You need both to fully secure your environment.

How deep can I nest folders in GCP?

Google Cloud allows up to 10 levels of folder nesting. Beyond that, the hierarchy becomes too complex to manage. In practice, most organizations use 3-5 levels to keep it manageable.

Is it possible to have a resource that is not under any project?

No. In GCP, every resource must belong to exactly one project. The project is the outermost container for resources. There is no way to create a resource outside a project.

Summary

The resource hierarchy is a structured, tree-like organization of cloud resources that enables centralized management of access control, policies, and compliance. It starts with an organization node at the top, optionally includes folders for grouping, and then projects that contain individual resources. Policies set at higher levels automatically flow down to lower levels through inheritance, making it easy to enforce consistent rules across an entire cloud environment.

This concept is not just theoretical. In real-world cloud administration, the resource hierarchy is the foundation for implementing least privilege, cost tracking, and compliance. It reduces the risk of human error by eliminating the need to configure every resource manually. Understanding how policies inherit, how deny policies compare to allow policies, and how moving resources affects permissions is critical for any cloud professional.

For exam takers, the resource hierarchy appears in almost every major cloud certification, including GCP Associate Cloud Engineer, GCP Professional Cloud Architect, AWS Solutions Architect, and Azure Administrator. You will face scenario-based questions that test your ability to design a hierarchy, apply policies correctly, and troubleshoot permission problems. The most common trap is misunderstanding that deny policies at a higher level cannot be overridden by lower-level grants. Always remember the additive nature of inheritance and the precedence of denies.

Ultimately, mastering the resource hierarchy equips you to design secure, scalable, and auditable cloud systems. It is one of the most powerful concepts in cloud computing, and it will serve you throughout your career in IT.