You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments. What should you do?
A.
Assign each user the editor role.
B.
Assign each user the compute.networkAdmin role.
C.
Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
D.
Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.
The correct answer is "D", see this link below.
Permissions required for creating Interconnect VLAN attachment are following:
compute.interconnectAttachments.create
compute.interconnectAttachments.get
compute.routers.create
compute.routers.get
compute.routers.update
https://cloud.google.com/interconnect/docs/how-to/dedicated/creating-vlan-attachments
sc00by is right, it must be B because it has delete permission, see bellow from the console:
gcloud iam roles describe roles/compute.networkAdmin | grep inter
- compute.interconnectAttachments.create
- compute.interconnectAttachments.delete
- compute.interconnectAttachments.get
- compute.interconnectAttachments.list
- compute.interconnectAttachments.setLabels
- compute.interconnectAttachments.update
- compute.interconnectAttachments.use
To give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments, you should give them the following permissions only:
• compute.interconnectAttachments.create
• compute.interconnectAttachments.get
• compute.routers.create
• compute.routers.get
• compute.routers.update
These permissions are the minimum required to create, modify, and delete Cloud Interconnect VLAN attachments.
The other options are incorrect because:
A. Assign each user the editor role. The editor role gives users too much access. It allows them to perform all actions on all resources in a project.
B. Assign each user the compute.networkAdmin role. The compute.networkAdmin role gives users too much access. It allows them to perform all actions on all Compute Engine resources in a project.
C. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get. These permissions are not enough to create, modify, and delete Cloud Interconnect VLAN attachments. They only allow users to create and get Cloud Interconnect VLAN attachments.
C : Assigning each user the permissions compute.interconnectAttachments.create and compute.interconnectAttachments.get ensures that they have the necessary privileges to create, modify, and delete Cloud Interconnect VLAN attachments, while limiting their access to only those specific actions. This approach follows the principle of least privilege, granting users only the permissions required for their tasks without providing unnecessary access to other resources.
Option C is the correct answer.
Explanation:
To provide least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments, you should give each user the minimum set of permissions required to perform these actions. The compute.interconnectAttachments.create and compute.interconnectAttachments.get permissions are required to create, modify, and delete VLAN attachments.
Option A (editor role) grants too many permissions, including permissions to modify IAM policies and billing settings.
Option B (compute.networkAdmin role) grants permissions to create and manage networks, subnets, routes, VPNs, and firewalls, in addition to Cloud Interconnect VLAN attachments.
Option D grants too many permissions, including permissions to create and modify routers, which are not required to manage VLAN attachments.
B: VLAN attachments (also known as interconnectAttachments) determine which Virtual Private Cloud (VPC) networks can reach your on-premises network through a Dedicated Interconnect connection. You can create VLAN attachments over connections that have passed all tests and are ready to use.
B - compute.networkAdmin had access to create, modify and delete vlans as you can see on link below: compute.interconnectAttachments.*
https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
jonclem
Highly Voted 4 years, 1 month agonikiwi
3 years, 11 months agomozammil89
Highly Voted 4 years, 8 months agosc00by
3 years, 8 months agoJohnnyBG
3 years, 4 months agod07d3be
Most Recent 2 weeks agothewalker
7 months, 1 week agothewalker
7 months, 1 week agodev62
9 months, 2 weeks agodesertlotus1211
9 months, 2 weeks agoKyle1776
1 year, 1 month agoananta93
1 year, 3 months agoKomal697
1 year, 8 months agopk349
1 year, 10 months agoAzureDP900
2 years agoMMEB
2 years, 1 month agoMr_MIXER007
2 years, 1 month agovladani
2 years, 10 months agokumarp6
2 years, 11 months agoJesusMariaJose
3 years agoJesusMariaJose
3 years agoseddy
3 years, 6 months ago