Google Cloud Professional Cloud Security Engineer — Question 284

You're developing the incident response plan for your company. You need to define the access strategy that your DevOps team will use when reviewing and investigating a deployment issue in your Google Cloud environment. There are two main requirements:
✑ Least-privilege access must be enforced at all times.
✑ The DevOps team must be able to access the required resources only during the deployment issue.
How should you grant access while following Google-recommended best practices?

Answer options

• A. Assign the Project Viewer Identity and Access Management (IAM) role to the DevOps team.
• B. Create a custom IAM role with limited list/view permissions, and assign it to the DevOps team.
• C. Create a service account, and grant it the Project Owner IAM role. Give the Service Account User Role on this service account to the DevOps team.
• D. Create a service account, and grant it limited list/view permissions. Give the Service Account User Role on this service account to the DevOps team.

Correct answer: B

Explanation

The correct answer is B because creating a custom IAM role with limited permissions ensures that the DevOps team has only the access necessary to address deployment issues while adhering to the principle of least privilege. Option A grants too much access, while C provides excessive permissions with the Project Owner role. Option D, while it restricts the access, does not utilize a custom role that can be tailored to specific needs.