23 questions across 6 exams
A new team member needs to be able to view all resources in a project, but should not be able to modify them. You want to follow the principle of least privilege. Which IAM role should you assign?
You need to grant a contractor the ability to start and stop Compute Engine instances, but they must NOT be able to create new instances or delete existing ones. No predefined role perfectly matches this requirement. What should you do?
A user named Alice belongs to the 'Developers' Google Group. The 'Developers' group is granted the 'Compute Viewer' role at the Folder level. Alice is also individually granted the 'Compute Admin' role at the Project level (which is inside the Folder). Which TWO statements are true regarding Alice's permissions on instances in the Project? (Select TWO)
You need to audit the IAM permissions for your GCP project. You want to view a list of all users, groups, and service accounts, along with the roles they have been granted at the project level. Which gcloud command should you use?
Your security team has requested that a specific automated script be granted permission to start and stop Compute Engine instances, but absolutely nothing else. You review the predefined IAM roles and find that none of them match this exact set of permissions without granting additional access. What should you do?
Google Cloud strongly recommends avoiding the use of primitive IAM roles (Owner, Editor, Viewer) in production environments. What is the primary reason for this recommendation?
You have a team of 10 developers who all need the 'roles/run.developer' role to deploy applications to Cloud Run. You want to manage their access efficiently so that when a developer leaves the team, their access can be easily revoked without modifying the project's IAM policy directly. Which TWO steps should you take? (Select TWO)
You are reviewing the IAM permissions for your project. You notice several users have the 'Editor' role. Why does Google recommend using Predefined roles instead of Primitive roles (like Owner, Editor, Viewer)?
You want to see a list of all users, groups, and service accounts that have been granted the `roles/storage.objectAdmin` role in your current project. Which gcloud command should you use?
You need to create a Custom IAM Role because none of the predefined roles exactly match your security requirements. You want to create this role using a YAML file that defines the title, description, and included permissions. Which command should you use to create the role at the project level?
Your company has a team of 50 developers. They all need the `roles/compute.instanceAdmin` role in the 'dev-project'. According to Google Cloud best practices, which TWO actions should you take to manage this access efficiently? (Select TWO)
When configuring Identity and Access Management (IAM) in Google Cloud, what is the recommended best practice regarding the use of Primitive roles (Owner, Editor, Viewer) versus Predefined roles?
You need to grant a new auditor access to your Google Cloud project. The auditor needs to be able to list and view the configuration of all Compute Engine instances, but they must NOT be able to start, stop, or modify them. They also should not have access to view Cloud Storage data. Which IAM role should you assign?
You have reviewed all predefined IAM roles but cannot find one that exactly matches the specific set of permissions required by a custom internal application. You decide to create a Custom IAM Role. Which TWO statements are true regarding Custom IAM Roles? (Select TWO)
A user is assigned the `roles/editor` (Project Editor) role at the Folder level. However, at the Project level (for a project inside that folder), the same user is explicitly assigned only the `roles/compute.viewer` role. What level of access does this user have to the Compute Engine instances in that project?
In Google Cloud Identity and Access Management (IAM), what is the primary difference between Primitive roles and Predefined roles?
Your company has a team of 50 data scientists who all need the 'BigQuery Data Viewer' role on a specific project. Team members frequently join and leave the company. What is the MOST efficient and secure way to manage these IAM assignments?
You are reviewing the IAM policies in your organization and realize that a predefined role grants slightly more permissions than your security team allows. You decide to create a Custom IAM role. Which TWO statements are true regarding Custom IAM roles? (Select TWO)
You are conducting a security audit and need to view the complete list of IAM role assignments (bindings) for a project named 'finance-prod-99'. Which gcloud command should you use?
You are reviewing IAM roles in your Google Cloud project. You notice several users have the 'Editor' role. According to Google Cloud security best practices, why should you avoid using the 'Editor' role?
Your security team requires a specific IAM role that allows users to start and stop Compute Engine instances, but absolutely nothing else (no creating, no deleting, no viewing disks). You have checked the predefined roles and none match this exact requirement. What should you do?
A user is granted the 'Compute Viewer' role at the Folder level. However, at the Project level (which is inside that Folder), the user is explicitly granted the 'Compute Admin' role. What level of access does the user have to Compute Engine resources in that project?
You need to audit the IAM policies for a project named 'finance-prod-123'. You want to see a list of all users and the roles they have been granted in this project using the Cloud SDK. Which TWO commands could you use to view this information? (Select TWO)
Full answers, grading, and explanations on why each answer is correct.
Expert