Google Associate Cloud Engineer
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
At a large analytics company providing machine-learning services, the DevOps team requires access to all production services across multiple GCP projects to perform their duties efficiently. The goal is to grant them permissions without unnecessarily broadening their access due to future Google Cloud product changes. What is the Google-recommended practice for this scenario?
Explanation:
Option C is correct because creating a custom role with precisely the necessary permissions and assigning it to the DevOps team specifically on production projects adheres to the principle of least privilege. This approach ensures the team has the access they need without exposing the organization to unnecessary security risks. Options A and B are incorrect as they grant overly broad permissions (the Project Editor role) either at the project or organizational level, which could lead to security vulnerabilities. Option D is incorrect because applying the custom role at the organizational level would grant the DevOps team access to all projects, including non-production ones, which is not required. This method is not aligned with the principle of least privilege and could introduce security risks.