An organization requires that all Compute Engine instances in a project must have a specific tag for firewall rule compliance. How can they enforce this?
Organization policies can enforce constraints like `compute.requireTags`.
Why this answer
Option C is correct because Organization Policies in Google Cloud can enforce constraints that require resources, including Compute Engine instances, to have specific labels or tags. The `compute.requireOsLogin` or custom constraint `compute.requireInstanceTag` can be used to mandate that all instances must have a particular tag, and any instance creation that violates this policy will be denied at the API level, ensuring compliance without relying on user behavior.
Exam trap
The trap here is that candidates often confuse IAM roles with Organization Policies, thinking that restricting creation permissions (Option A) is sufficient, but IAM cannot enforce resource-level attributes like tags, which is a common misconception in policy-based governance questions.
How to eliminate wrong answers
Option A is wrong because IAM roles control who can create instances, not what tags are applied to the instances; they cannot enforce a specific tag value. Option B is wrong because a startup script runs after the instance is created, so it cannot prevent the creation of an instance without the required tag, and the instance would already exist in violation of the firewall rule compliance. Option D is wrong because Cloud Asset Inventory is a service for discovering and monitoring cloud resources, not for enforcing policies or preventing non-compliant resource creation.