Your organization is implementing separation of duties in a Google Cloud project. A group of developers needs to deploy new code but must not have permissions to modify network firewall rules. What should you do?

Exam-Like

Assign the network administrator IAM role to all developers. Tell developers not to change firewall settings.

Use Access Context Manager to create conditions that allow only authorized administrators to change firewall rules based on attributes such as IP address or device security posture.

Create and assign two custom IAM roles. Assign the deployer role to control Compute Engine and deployment-related permissions. Assign the network administrator role to manage firewall permissions.

Grant the editor IAM role to the developer group. Explicitly negate any firewall modification permissions by using IAM deny policies.

Google Professional Cloud Security Engineer

Get started today

Comments

Your organization is implementing separation of duties in a Google Cloud project. A group of developers needs to deploy new code but must not have permissions to modify network firewall rules. What should you do?