Google Cloud Associate Cloud Engineer — Question 304

Your company uses a large number of Google Cloud services centralized in a single project. All teams have specific projects for testing and development. The
DevOps team needs access to all of the production services in order to perform their job. You want to prevent Google Cloud product changes from broadening their permissions in the future. You want to follow Google-recommended practices. What should you do?

Answer options

• A. Grant all members of the DevOps team the role of Project Editor on the organization level.
• B. Grant all members of the DevOps team the role of Project Editor on the production project.
• C. Create a custom role that combines the required permissions. Grant the DevOps team the custom role on the production project.
• D. Create a custom role that combines the required permissions. Grant the DevOps team the custom role on the organization level.

Correct answer: C

Explanation

The correct answer is C because creating a custom role allows the DevOps team to have precisely the permissions needed for their tasks without risking future permission escalation. Options A and B grant broader access than necessary, and option D would apply the custom role organization-wide, which is not in line with the principle of least privilege.