Google Cloud Professional Cloud Security Engineer — Question 167

Your organization is implementing separation of duties in a Google Cloud project. A group of developers must deploy new code, but cannot have permission to change network firewall rules. What should you do?

Answer options

• A. Assign the network administrator IAM role to all developers. Tell developers not to change firewall settings.
• B. Use Access Context Manager to create conditions that allow only authorized administrators to change firewall rules based on attributes such as IP address or device security posture.
• C. Create and assign two custom IAM roles. Assign the deployer role to control Compute Engine and deployment-related permissions. Assign the network administrator role to manage firewall permissions.
• D. Grant the editor IAM role to the developer group. Explicitly negate any firewall modification permissions by using IAM deny policies.

Correct answer: C

Explanation

The correct answer is C because creating two custom IAM roles allows for fine-grained control over permissions, ensuring developers can deploy code without altering firewall settings. Option A is incorrect as it relies on trust rather than permissions, and B is not applicable because it does not directly address the separation of duties. Option D is also unsuitable as granting the editor role could still allow developers to modify firewall settings despite the deny policies.