Answer-first summary for fast verification
Answer: Create and assign two custom IAM roles. Assign the deployer role to control Compute Engine and deployment-related permissions. Assign the network administrator role to manage firewall permissions.
Option C is the correct answer because it implements the principle of least privilege and separation of duties through custom IAM roles. It creates a 'deployer' role with only the necessary Compute Engine and deployment permissions, and a separate 'network administrator' role for firewall management, ensuring developers cannot modify firewall rules. Option A is incorrect as it grants excessive permissions (network admin role) and relies on policy rather than technical controls. Option B uses Access Context Manager for conditional access but doesn't address the core permission separation requirement. Option D grants the overly permissive Editor role and uses deny policies, which is less secure than positive allow-based custom roles.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Your organization is implementing separation of duties in a Google Cloud project. A group of developers needs to deploy new code but must not have permissions to modify network firewall rules. What should you do?
A
Assign the network administrator IAM role to all developers. Tell developers not to change firewall settings.
B
Use Access Context Manager to create conditions that allow only authorized administrators to change firewall rules based on attributes such as IP address or device security posture.
C
Create and assign two custom IAM roles. Assign the deployer role to control Compute Engine and deployment-related permissions. Assign the network administrator role to manage firewall permissions.
D
Grant the editor IAM role to the developer group. Explicitly negate any firewall modification permissions by using IAM deny policies.