You are designing the IAM hierarchy for a new GCP organization. The security team insists on the principle of least privilege. A group of developers needs to view Compute Engine instances, restart them, and view Cloud Storage buckets, but they must not be able to delete instances or create new buckets. How should you assign permissions?

Assign the predefined 'Compute Admin' and 'Storage Admin' roles to the developer group.

Assign the basic 'Editor' role to the developer group.

Create a Custom IAM Role with the specific permissions required and assign it to the developer group at the Folder or Project level.

Assign the 'Compute Viewer' and 'Storage Viewer' roles, and ask them to open a support ticket when they need to restart an instance.