An organization has a Shared VPC with several service projects. They want to restrict which service projects can create firewall rules in the host project. What should they do?
IAM allows fine-grained control over who can create firewall rules in the host project.
Why this answer
Option A is correct because IAM roles with the `compute.firewalls.create` permission at the host project level allow you to precisely control which service projects can create firewall rules in the Shared VPC host project. By assigning a custom or predefined role (e.g., Compute Security Admin) that includes this permission to specific service project identities, you can restrict firewall rule creation to only authorized service projects while preventing others from doing so.
Exam trap
The trap here is that candidates confuse VPC Service Controls or hierarchical firewall policies with IAM-based permission control, mistakenly thinking these features can restrict which service projects can create firewall rules, when they actually serve different purposes (data exfiltration prevention and rule enforcement, respectively).
How to eliminate wrong answers
Option B is wrong because VPC Service Controls are designed to protect data exfiltration by controlling access to Google Cloud APIs from outside a service perimeter, not to manage IAM permissions for creating firewall rules within a Shared VPC. Option C is wrong because hierarchical firewall policies are used to enforce consistent firewall rules across an organization hierarchy (folders, projects) and do not control which service projects can create rules; they apply rules, not permissions. Option D is wrong because organization policies can deny firewall rule creation globally (e.g., using a constraint like `compute.disableFirewallCreation`), but they cannot selectively allow or deny specific service projects; they are a blunt instrument that would block all firewall rule creation in the host project, including for authorized service projects.