ExpertMedium1 markMultiple Choice
GCP ACE · Question 42 · Domain 5.1: Managing Identity and Access Management (IAM)
Your security team has requested that a specific automated script be granted permission to start and stop Compute Engine instances, but absolutely nothing else. You review the predefined IAM roles and find that none of them match this exact set of permissions without granting additional access.
What should you do?
Your security team has requested that a specific automated script be granted permission to start and stop Compute Engine instances, but absolutely nothing else. You review the predefined IAM roles and find that none of them match this exact set of permissions without granting additional access.
What should you do?
Answer options:
A.
Assign the roles/compute.instanceAdmin.v1 role.
B.
Create a custom IAM role containing only the compute.instances.start and compute.instances.stop permissions.
C.
Assign the primitive Editor role.
D.
Modify an existing predefined role to remove the unwanted permissions.
How to approach this question
Recognize when to use Custom IAM roles (when predefined roles grant too much or too little access).
Full Answer
B.Create a custom IAM role containing only the compute.instances.start and compute.instances.stop permissions.✓ Correct
When predefined roles do not meet your specific security requirements (e.g., they grant too many permissions), the best practice is to create a Custom IAM role. You can select the exact permissions needed (`compute.instances.start` and `compute.instances.stop`) and assign that custom role to the script's service account.
Common mistakes
Thinking you can edit predefined roles, or settling for a broader predefined role that violates least privilege.
Practice the full GCP Associate Cloud Engineer Practice Exam 3
50 questions · hints · full answers · grading
More questions from this exam
Q01You are starting a new project in Google Cloud and need to create a new GCP project and enable th...EasyQ02A new team member has joined your operations team. They need to be able to view all Compute Engin...MediumQ03Your company is migrating to Google Cloud. You currently manage all employee identities in an on-...MediumQ04Your development team is experimenting with new GCP services in a sandbox project. The finance te...MediumQ05Your company wants to perform complex, custom SQL analysis on their Google Cloud billing data to ...Easy