Domain 5.1: Managing Identity and Access Management (IAM) — GCP ACE Practice Question 42

How to approach this question

Recognize when to use Custom IAM roles (when predefined roles grant too much or too little access).

Full Answer

B.Create a custom IAM role containing only the compute.instances.start and compute.instances.stop permissions.✓ Correct

Create a custom IAM role containing only the compute.instances.start and compute.instances.stop permissions.

When predefined roles do not meet your specific security requirements (e.g., they grant too many permissions), the best practice is to create a Custom IAM role. You can select the exact permissions needed (`compute.instances.start` and `compute.instances.stop`) and assign that custom role to the script's service account.

Common mistakes

Thinking you can edit predefined roles, or settling for a broader predefined role that violates least privilege.

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 3

More questions from this exam