Google Cloud Associate Cloud Engineer — Question 280

You are managing the security configuration of your company’s Google Cloud organization. The Operations team needs specific permissions on both a Google Kubernetes Engine (GKE) cluster and a Cloud SQL instance. Two predefined Identity and Access Management (IAM) roles exist that contain a subset of the permissions needed by the team. You need to configure the necessary IAM permissions for this team while following Google-recommended practices. What should you do?

Answer options

• A. Create a custom IAM role that combines the permissions from the two relevant predefined roles.
• B. Grant the team the two predefined IAM roles.
• C. Create a custom IAM role that includes only the required permissions from the predefined roles.
• D. Grant the team the IAM roles of Kubernetes Engine Admin and Cloud SQL Admin.

Correct answer: C

Explanation

The correct answer is C because creating a custom IAM role that includes only the necessary permissions aligns with the principle of least privilege, which is a Google-recommended practice. Option A is incorrect because merging roles may provide unnecessary permissions. Option B does not follow the least privilege principle, and Option D grants broad permissions that may exceed the team's actual needs.