Domain 5.1: Managing Identity and Access Management (IAM) — GCP ACE Practice Question 41

How to approach this question

Recognize when to use Custom IAM roles.

Full Answer

B.Create a custom IAM role containing only the 'compute.instances.start' and 'compute.instances.stop' permissions.✓ Correct

Create a custom IAM role containing only the 'compute.instances.start' and 'compute.instances.stop' permissions.

When predefined roles are too broad and violate the principle of least privilege, you should create a Custom IAM role. You can select the exact permissions needed (e.g., `compute.instances.start` and `compute.instances.stop`) and assign that custom role to the user.

Common mistakes

Granting a broader predefined role just because it's easier.

You need to grant a contractor the ability to start and stop Compute Engine instances, but they must NOT be able to create new instances or delete existing ones. No predefined role perfectly matches this requirement.

What should you do?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 2

More questions from this exam

You need to grant a contractor the ability to start and stop Compute Engine instances, but they must NOT be able to create new instances or delete existing ones. No predefined role perfectly matches this requirement. What should you do?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 2

More questions from this exam

You need to grant a contractor the ability to start and stop Compute Engine instances, but they must NOT be able to create new instances or delete existing ones. No predefined role perfectly matches this requirement.

What should you do?