ExpertMedium1 markMultiple Choice
GCP ACE · Question 41 · Domain 5.1: Managing Identity and Access Management (IAM)
You need to grant a contractor the ability to start and stop Compute Engine instances, but they must NOT be able to create new instances or delete existing ones. No predefined role perfectly matches this requirement.
What should you do?
You need to grant a contractor the ability to start and stop Compute Engine instances, but they must NOT be able to create new instances or delete existing ones. No predefined role perfectly matches this requirement.
What should you do?
Answer options:
A.
Grant the 'Compute Instance Admin' role.
B.
Create a custom IAM role containing only the 'compute.instances.start' and 'compute.instances.stop' permissions.
C.
Grant the 'Compute Viewer' role and use a firewall rule to block instance creation.
D.
Use an IAM Deny policy to block 'compute.instances.create'.
How to approach this question
Recognize when to use Custom IAM roles.
Full Answer
B.Create a custom IAM role containing only the 'compute.instances.start' and 'compute.instances.stop' permissions.✓ Correct
When predefined roles are too broad and violate the principle of least privilege, you should create a Custom IAM role. You can select the exact permissions needed (e.g., `compute.instances.start` and `compute.instances.stop`) and assign that custom role to the user.
Common mistakes
Granting a broader predefined role just because it's easier.
Practice the full GCP Associate Cloud Engineer Practice Exam 2
50 questions · hints · full answers · grading
More questions from this exam
Q01Your company is migrating to Google Cloud and needs to establish a resource hierarchy. You have t...EasyQ02You are managing access to a GCP project. You need to grant 15 developers the ability to view Com...MediumQ03You have created a new GCP project using the Cloud Console. You want to deploy a Cloud Function u...EasyQ04Your startup has a strict monthly cloud budget of $500. You want to be notified immediately if yo...EasyQ05Your finance team wants to perform complex SQL analysis on your GCP billing data to understand co...Medium