ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Subtask 3.1: Design for SecurityIAMSecurityLeast PrivilegeCustom Roles

GCP PCA · Question 26 · Design for Security

You are designing the IAM hierarchy for a new GCP organization. The security team insists on the principle of least privilege. A group of developers needs to view Compute Engine instances, restart them, and view Cloud Storage buckets, but they must not be able to delete instances or create new buckets. How should you assign permissions?

Answer options:

A.

Assign the predefined 'Compute Admin' and 'Storage Admin' roles to the developer group.

B.

Assign the basic 'Editor' role to the developer group.

C.

Create a Custom IAM Role with the specific permissions required and assign it to the developer group at the Folder or Project level.

D.

Assign the 'Compute Viewer' and 'Storage Viewer' roles, and ask them to open a support ticket when they need to restart an instance.

How to approach this question

When predefined roles are too broad or too narrow, use Custom Roles to achieve exact least privilege.

Full Answer

C.Create a Custom IAM Role with the specific permissions required and assign it to the developer group at the Folder or Project level.✓ Correct
Create a Custom IAM Role with the specific permissions required and assign it to the developer group at the Folder or Project level.
Google Cloud provides hundreds of predefined IAM roles, but sometimes a specific job function requires a unique combination of permissions. By creating a Custom IAM Role, you can select the exact API permissions needed (e.g., compute.instances.get, compute.instances.start, compute.instances.stop, storage.buckets.get) without granting destructive permissions like compute.instances.delete.

Common mistakes

Using primitive roles (Owner, Editor, Viewer) is a major anti-pattern in GCP enterprise environments.
25All questions27

Practice the full GCP Professional Cloud Architect Practice Exam 7

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01CASE STUDY: TechStream Gaming Company Overview: TechStream Gaming is a global multiplayer game d...HardQ02CASE STUDY: TechStream Gaming Company Overview: TechStream Gaming is a global multiplayer game d...MediumQ03CASE STUDY: TechStream Gaming Company Overview: TechStream Gaming is a global multiplayer game d...MediumQ04CASE STUDY: TechStream Gaming Company Overview: TechStream Gaming is a global multiplayer game d...MediumQ05CASE STUDY: TechStream Gaming Company Overview: TechStream Gaming is a global multiplayer game d...Medium
View all 50 questions →