Cyber Intelligence
Google Cloud Foundations · Digital transformation

L3. Google Cloud Resource Hierarchy: Organization, Folders, and Projects

Video generating

Check back soon for the video lesson on Google Cloud Resource Hierarchy: Organization, Folders, and Projects

Google Cloud organizes resources in a four-level hierarchy. The Digital Leader exam tests how Organization, Folders, Projects, and Resources relate to each other and how policies cascade.

The Google Cloud Resource Hierarchy

Google Cloud resources are organized in a hierarchical structure that maps to typical organizational structures and enables policy inheritance. The four levels (top to bottom):

1. Organization

The Organization is the root node representing a company. It is automatically created when you use Google Workspace or Cloud Identity. Key facts:

  • All organization resources (folders, projects, resources) are under a single Organization
  • Organization-level IAM policies apply to everything below
  • Organization Administrator role controls the entire organization
  • Recommended: apply security policies at the Organization level for broadest coverage

2. Folders

Folders are optional grouping nodes between the Organization and Projects. Use folders to mirror your organizational structure (departments, teams, environments). Examples:

  • Organization > IT Department > Production | Development
  • Organization > Finance | Marketing | Engineering > Projects
Key facts:
  • Folders can contain other folders (nesting supported)
  • IAM policies and Organization Policies applied to a folder cascade to all projects within

3. Projects

A Project is the base-level organizer for Google Cloud resources. Every resource must belong to a project. Key facts:

  • Every project has a unique Project ID (globally unique, immutable), Project Name, and Project Number
  • API enablement, billing, and service quotas are managed per project
  • IAM policies can be set at the project level
  • Deleting a project deletes all resources within it (after a 30-day grace period by default)

4. Resources

Resources are the actual Google Cloud services: a Compute Engine VM, a Cloud Storage bucket, a Cloud SQL instance.

Policy Inheritance

Policies set at a higher level cascade down to lower levels. A policy applied to the Organization node affects all folders, projects, and resources. Important: you can grant additional permissions at lower levels but you cannot restrict policies inherited from higher levels using IAM alone. Use Organization Policy Service to impose restrictive constraints at any level.

LevelExamplesContains
Organizationcompany.comFolders, Projects
FolderEngineering, FinanceFolders, Projects
Projectmy-production-appResources
ResourceVM, bucket, databaseN/A
Exam tip: IAM policies cascade down from Organization to Resource. Organization Policies set constraints that even project owners cannot override.

Exam Focus Points
  • Google Cloud hierarchy: Organization (root) > Folders > Projects > Resources
  • Every Google Cloud resource must belong to a Project
  • IAM policies and Organization Policies cascade down from higher to lower levels
  • Organization Policies (constraints) can enforce restrictions that project owners cannot override
  • Deleting a project deletes all resources within it after a 30-day grace period
Knowledge Check

1. A security administrator wants to enforce that no external IP addresses can be assigned to any Compute Engine VM across all projects in an organization. Which feature should they use?

2. Which of the following identifies a Google Cloud project and is globally unique and cannot be changed after creation?

Recommended: Pluralsight

Reinforce these lessons with Pluralsight's Google Cloud paths: structured video courses, GCP console labs, and practice exams for the Digital Leader certification.

Start Digital Leader prep free10-day free trial available