ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 3: Designing for Security and ComplianceDomain 3IAMLeast PrivilegeSecurity

GCP PCA · Question 25 · Domain 3: Designing for Security and Compliance

You are auditing IAM permissions for a GCP project. You notice that several developers have been granted the roles/editor basic role. The security team requires that developers should only have the ability to view resources and manage Compute Engine instances, but they should not be able to modify IAM policies or access Cloud Storage buckets. What should you do?

Answer options:

A.

Keep the roles/editor role, but add a deny policy for Cloud Storage and IAM.

B.

Remove the roles/editor role. Grant the developers the roles/viewer and roles/compute.instanceAdmin.v1 predefined roles.

C.

Create a Custom Role with all permissions from the Editor role, minus the storage and IAM permissions.

D.

Remove the roles/editor role. Grant the roles/owner role to a service account and let developers impersonate it.

How to approach this question

Identify the anti-pattern: Basic roles (Owner/Editor/Viewer) are too broad. The solution is to use Predefined roles that match the exact job function.

Full Answer

B.Remove the `roles/editor` role. Grant the developers the `roles/viewer` and `roles/compute.instanceAdmin.v1` predefined roles.✓ Correct
Remove the `roles/editor` role. Grant the developers the `roles/viewer` and `roles/compute.instanceAdmin.v1` predefined roles.
The `roles/editor` role is a legacy Basic role that grants broad modify access across almost all GCP services. Best practice dictates using Predefined roles to enforce least privilege. Combining `roles/viewer` (read-only across the project) with `roles/compute.instanceAdmin.v1` (full control over VMs) exactly meets the security team's requirements.

Common mistakes

Choosing Custom Roles (C). While custom roles work, they are an administrative burden. You should only create custom roles if no combination of predefined roles fits the need.
24All questions26

Practice the full GCP Professional Cloud Architect Practice Exam 3

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...MediumQ02**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...HardQ03**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...MediumQ04**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...EasyQ05**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...Medium
View all 50 questions →