ASSOCIATE-CLOUD-ENGINEER Question #354: Real Exam Question with Answer & Explanation

Question

You are managing the security configuration of your company's Google Cloud organization. The Operations team needs specific permissions on both a Google Kubernetes Engine (GKE) cluster and a Cloud SQL instance. Two predefined Identity and Access Management (IAM) roles exist that contain a subset of the permissions needed by the team. You need to configure the necessary IAM permissions for this team while following Google-recommended practices. What should you do?

Options

• AGrant the team the two predefined IAM roles.
• BCreate a custom IAM role that combines the permissions from the two relevant predefined roles.
• CCreate a custom IAM role that includes only the required permissions from the predefined roles.
• DGrant the team the IAM roles of Kubernetes Engine Admin and Cloud SQL Admin.

Explanation

Granting more permissions than necessary violates the principle of least privilege, a fundamental security best practice. While option A grants the necessary permissions (as subsets exist in two predefined roles), it might also grant more permissions than the Operations team strictly requires for their tasks on GKE and Cloud SQL. Option D is too broad; 'Admin' roles grant extensive permissions that likely exceed the specific needs. Google Cloud's best practices strongly recommend adhering to the principle of least privilege. Creating a custom role allows you to precisely define the set of permissions the Operations team needs for their specific tasks on the GKE cluster and the Cloud SQL instance, without granting any unnecessary permissions. This minimizes the potential blast radius in case of accidental or malicious actions.

No community discussion yet for this question.