Google Cloud Professional Cloud Security Engineer — Question 249

You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
What should you do?

Answer options

• A. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
• B. Create a custom role with the permission compute.instances.list and grant the Service Account this role.
• C. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
• D. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.

Correct answer: B

Explanation

The correct answer is B because creating a custom role with the specific permission compute.instances.list allows for precise access control, adhering to the principle of least privilege. Option A is incorrect as Instance Templates are not necessary for listing instances. Options C and D grant broader roles that exceed the requirement, which is not in line with Google-recommended practices.