ExpertMedium1 markMultiple Choice
GCP ACE · Question 42 · Domain 5.1: Managing Identity and Access Management (IAM)
Your security team requires a specific IAM role that allows users to start and stop Compute Engine instances, but absolutely nothing else (no creating, no deleting, no viewing disks). You have checked the predefined roles and none match this exact requirement.
What should you do?
Your security team requires a specific IAM role that allows users to start and stop Compute Engine instances, but absolutely nothing else (no creating, no deleting, no viewing disks). You have checked the predefined roles and none match this exact requirement.
What should you do?
Answer options:
A.
Assign the 'Compute Instance Admin' predefined role.
B.
Create a Custom IAM role containing only the 'compute.instances.start' and 'compute.instances.stop' permissions.
C.
Assign the 'Editor' primitive role and use IAM conditions to restrict it.
D.
Submit a feature request to Google Support to create a new predefined role.
How to approach this question
Identify the IAM feature used when predefined roles do not meet exact requirements.
Full Answer
B.Create a Custom IAM role containing only the 'compute.instances.start' and 'compute.instances.stop' permissions.✓ Correct
Create a Custom IAM role containing only the 'compute.instances.start' and 'compute.instances.stop' permissions.
When predefined roles do not meet your specific needs (either granting too much or too little access), you should create a Custom IAM role. Custom roles allow you to select the exact permissions (e.g., `compute.instances.start`) required, perfectly adhering to the principle of least privilege.
Common mistakes
Trying to use a predefined role that is 'close enough', which violates the strict security requirement stated in the prompt.
Practice the full GCP Associate Cloud Engineer Practice Exam 7
50 questions · hints · full answers · grading
More questions from this exam
Q01You are starting a new initiative and need to create a new Google Cloud project using the Cloud S...EasyQ02Your company is migrating to Google Cloud and wants to manage user identities centrally. They cur...MediumQ03You have just created a new Google Cloud project and want to deploy a containerized application u...MediumQ04Your finance team wants to perform complex SQL queries on your Google Cloud billing data to analy...MediumQ05You are managing a development project in Google Cloud. You want to ensure that you are notified ...Easy