Configuring Access & Security

In Google Cloud IAM, what is the fundamental difference between a primitive role (like Editor) and a predefined role (like Compute Instance Admin)?

A developer needs to view the configuration of Compute Engine instances and Cloud Storage buckets in a project, but should not be able to create, modify, or delete any resources. Which IAM role should you assign?

You need to grant a new team member access to manage Cloud SQL instances in a specific project. You want to follow the principle of least privilege. Which TWO actions should you take? (Select TWO)

You are creating a custom IAM role because predefined roles provide too much access. Which TWO statements are true regarding custom IAM roles? (Select TWO)

What is the primary purpose of a Google Cloud Service Account?

An application running on a Compute Engine VM needs to read files from a Cloud Storage bucket. What is the MOST secure way to grant the VM access to the bucket?

You need to run a script on your local on-premises workstation that interacts with GCP APIs. The script needs to authenticate as a service account. Which TWO steps are required? (Select TWO)

A new team member needs to be able to view all resources in a project, but should not be able to modify them. You want to follow the principle of least privilege.

Which IAM role should you assign?

You need to grant a contractor the ability to start and stop Compute Engine instances, but they must NOT be able to create new instances or delete existing ones. No predefined role perfectly matches this requirement.

What should you do?

A user named Alice belongs to the 'Developers' Google Group. The 'Developers' group is granted the 'Compute Viewer' role at the Folder level. Alice is also individually granted the 'Compute Admin' role at the Project level (which is inside the Folder).

Which TWO statements are true regarding Alice's permissions on instances in the Project? (Select TWO)

What is the primary purpose of a Service Account in Google Cloud?

You have an application running on a Compute Engine instance. The application needs to read files from a Cloud Storage bucket. You want to follow security best practices.

How should you grant the application access to the bucket?

You have a CI/CD pipeline running in 'Project-A'. The pipeline needs to deploy a Cloud Function into 'Project-B'. The pipeline authenticates using a Service Account located in 'Project-A'.

Which TWO steps are required to allow the pipeline to deploy the function? (Select TWO)

You need to audit the IAM permissions for your GCP project. You want to view a list of all users, groups, and service accounts, along with the roles they have been granted at the project level.

Which gcloud command should you use?

Your security team has requested that a specific automated script be granted permission to start and stop Compute Engine instances, but absolutely nothing else. You review the predefined IAM roles and find that none of them match this exact set of permissions without granting additional access.

What should you do?

Google Cloud strongly recommends avoiding the use of primitive IAM roles (Owner, Editor, Viewer) in production environments.

What is the primary reason for this recommendation?

You have a team of 10 developers who all need the 'roles/run.developer' role to deploy applications to Cloud Run. You want to manage their access efficiently so that when a developer leaves the team, their access can be easily revoked without modifying the project's IAM policy directly.

Which TWO steps should you take? (Select TWO)

An application running on a Compute Engine VM needs to read files from a specific Cloud Storage bucket. You want to follow the principle of least privilege.

How should you grant the VM access to the bucket?

You have an application running on an on-premises server (outside of Google Cloud) that needs to publish messages to a Cloud Pub/Sub topic. You have created a Service Account with the necessary Pub/Sub Publisher role.

How should the on-premises application authenticate as this Service Account?

You have two GCP projects: 'Project-App' and 'Project-Data'. A Compute Engine VM in 'Project-App' needs to read data from a Cloud Storage bucket located in 'Project-Data'.

Which TWO steps are required to configure this cross-project access securely? (Select TWO)

You are reviewing the IAM permissions for your project. You notice several users have the 'Editor' role.

Why does Google recommend using Predefined roles instead of Primitive roles (like Owner, Editor, Viewer)?

You want to see a list of all users, groups, and service accounts that have been granted the roles/storage.objectAdmin role in your current project.

Which gcloud command should you use?

You need to create a Custom IAM Role because none of the predefined roles exactly match your security requirements. You want to create this role using a YAML file that defines the title, description, and included permissions.

Which command should you use to create the role at the project level?

Your company has a team of 50 developers. They all need the roles/compute.instanceAdmin role in the 'dev-project'.

According to Google Cloud best practices, which TWO actions should you take to manage this access efficiently? (Select TWO)

What is the primary purpose of a Service Account in Google Cloud?

You have an application running on a Compute Engine VM that needs to read files from a specific Cloud Storage bucket.

What is the MOST secure way to grant the VM access to the bucket?

You have an application running on-premises (outside of GCP) that needs to write data to Cloud Pub/Sub. You have created a service account for this application and generated a JSON key file.

Which TWO practices should you follow to secure this service account key? (Select TWO)

When configuring Identity and Access Management (IAM) in Google Cloud, what is the recommended best practice regarding the use of Primitive roles (Owner, Editor, Viewer) versus Predefined roles?

You need to grant a new auditor access to your Google Cloud project. The auditor needs to be able to list and view the configuration of all Compute Engine instances, but they must NOT be able to start, stop, or modify them. They also should not have access to view Cloud Storage data.

Which IAM role should you assign?

You have reviewed all predefined IAM roles but cannot find one that exactly matches the specific set of permissions required by a custom internal application. You decide to create a Custom IAM Role.

Which TWO statements are true regarding Custom IAM Roles? (Select TWO)