L3. Google Cloud Resource Hierarchy: Organization, Folders, and Projects
Video generating
Check back soon for the video lesson on Google Cloud Resource Hierarchy: Organization, Folders, and Projects
Google Cloud organizes resources in a four-level hierarchy. The Digital Leader exam tests how Organization, Folders, Projects, and Resources relate to each other and how policies cascade.
The Google Cloud Resource Hierarchy
Google Cloud resources are organized in a hierarchical structure that maps to typical organizational structures and enables policy inheritance. The four levels (top to bottom):
1. Organization
The Organization is the root node representing a company. It is automatically created when you use Google Workspace or Cloud Identity. Key facts:
- All organization resources (folders, projects, resources) are under a single Organization
- Organization-level IAM policies apply to everything below
- Organization Administrator role controls the entire organization
- Recommended: apply security policies at the Organization level for broadest coverage
2. Folders
Folders are optional grouping nodes between the Organization and Projects. Use folders to mirror your organizational structure (departments, teams, environments). Examples:
- Organization > IT Department > Production | Development
- Organization > Finance | Marketing | Engineering > Projects
- Folders can contain other folders (nesting supported)
- IAM policies and Organization Policies applied to a folder cascade to all projects within
3. Projects
A Project is the base-level organizer for Google Cloud resources. Every resource must belong to a project. Key facts:
- Every project has a unique Project ID (globally unique, immutable), Project Name, and Project Number
- API enablement, billing, and service quotas are managed per project
- IAM policies can be set at the project level
- Deleting a project deletes all resources within it (after a 30-day grace period by default)
4. Resources
Resources are the actual Google Cloud services: a Compute Engine VM, a Cloud Storage bucket, a Cloud SQL instance.
Policy Inheritance
Policies set at a higher level cascade down to lower levels. A policy applied to the Organization node affects all folders, projects, and resources. Important: you can grant additional permissions at lower levels but you cannot restrict policies inherited from higher levels using IAM alone. Use Organization Policy Service to impose restrictive constraints at any level.
| Level | Examples | Contains |
|---|---|---|
| Organization | company.com | Folders, Projects |
| Folder | Engineering, Finance | Folders, Projects |
| Project | my-production-app | Resources |
| Resource | VM, bucket, database | N/A |
- ✓Google Cloud hierarchy: Organization (root) > Folders > Projects > Resources
- ✓Every Google Cloud resource must belong to a Project
- ✓IAM policies and Organization Policies cascade down from higher to lower levels
- ✓Organization Policies (constraints) can enforce restrictions that project owners cannot override
- ✓Deleting a project deletes all resources within it after a 30-day grace period
1. A security administrator wants to enforce that no external IP addresses can be assigned to any Compute Engine VM across all projects in an organization. Which feature should they use?
2. Which of the following identifies a Google Cloud project and is globally unique and cannot be changed after creation?
Recommended: Pluralsight
Reinforce these lessons with Pluralsight's Google Cloud paths: structured video courses, GCP console labs, and practice exams for the Digital Leader certification.