Google Cloud Professional Cloud Security Engineer — Question 191

Your organization leverages folders to represent different teams within your Google Cloud environment. To support Infrastructure as Code (IaC) practices, each team receives a dedicated service account upon onboarding. You want to ensure that teams have comprehensive permissions to manage resources within their assigned folders while adhering to the principle of least privilege. You must design the permissions for these team-based service accounts in the most effective way possible. What should you do?

Answer options

• A. Grant each service account the folder administrator role on its respective folder.
• B. Grant each service account the project creator role at the organization level and use folder-level IAM conditions to restrict project creation to specific folders.
• C. Assign each service account the project editor role at the organization level and instruct teams to use IAM bindings at the folder level for fine-grained permissions.
• D. Assign each service account the folder IAM administrator role on its respective folder to allow teams to create and manage additional custom roles if needed.

Correct answer: A

Explanation

The correct answer is A because granting each service account the folder administrator role allows full management of resources within their specific folder, aligning with the principle of least privilege. Options B and C provide broader permissions that could exceed the necessary access, while option D focuses on role management rather than direct resource permissions.