Exam Professional Cloud Security Engineer topic 1 question 29 discussion

The correct answer is B. https://cloud.google.com/vpc/docs/shared-vpc#svc_proj_admins

A is right. Source: https://cloud.google.com/compute/docs/access/iam#compute.networkUser

B) Compute Network User Role at the subnet level. The key points: In a Shared VPC, the subnets are configured in the host project. To allow another project to use a specific subnet, grant the Compute Network User role on that subnet. The Compute Shared VPC Admin role allows full administration, which is more privileged than needed. The Compute Network User role at the project level allows accessing all subnets, not just 10.1.1.0/24. So granting the Compute Network User role specifically on the 10.1.1.0/24 subnet gives targeted access to only that subnet, meeting the requirement. The subnet-level Compute Network User role provides the minimum necessary access to fulfill the need for Engineering Group A.

To enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet in a Shared VPC setup, you should follow these steps: Grant the Compute Network User role at the service project level: This will allow members of Engineering Group A to create Compute Engine instances in their respective service projects. Grant the Compute Network User role specifically on the 10.1.1.0/24 subnet: To ensure that Engineering Group A can only attach instances to the desired subnet, you should grant the Compute Network User role directly at the subnet level. This way, they have the necessary permissions for that specific subnet without impacting other subnets in the Shared VPC. Option B, "Compute Network User Role at the subnet level," is the most appropriate choice in this scenario to achieve the desired outcome.

The correct answer is B per least privilegd access rule

"B" seems to be the most appropriate answer. See step 4 here: https://medium.com/google-cloud/google-cloud-shared-vpc-b33e0c9dd320

To enable Engineering Group A to attach a Compute Engine instance to only the 10.1.1.0/24 subnet in a Shared VPC Network where project co-vpc-prod is the host project, your team should grant Compute Network User Role at the subnet level. This will allow Engineering Group A to create and manage resources in the specified subnet while restricting them from making changes to other resources in the host project. Granting Compute Network User Role at the host project level would allow Engineering Group A to create and manage resources across all subnets in the host project, which is more than what is needed in this case. Compute Shared VPC Admin Role at either the host or service project level would give Engineering Group A too much control over the Shared VPC Network.

Admin role is not required

The correct answer is B - https://cloud.google.com/compute/docs/access/iam#compute.networkUser states that the lowest level it can be granted on is project however I did confirm on my own companies shared VPC that roles/compute.networkUser can be granted at the subnet level

Answer is A not B The least level the Compute Network User role can be assigned is at Project level and NOT subnet level. https://cloud.google.com/compute/docs/access/iam#compute.networkUser

Grant network.user at subnet level: https://cloud.google.com/vpc/docs/provisioning-shared-vpc#networkuseratsubnet

The correct answer is B. https://cloud.google.com/vpc/docs/shared-vpc#svc_proj_admins

Lowest level grant is at Project level. https://cloud.google.com/compute/docs/access/iam#compute.networkUser

based on that documentation it should clearly be done at the host project level : https://cloud.google.com/compute/docs/access/iam#compute.networkUser

https://cloud.google.com/vpc/docs/shared-vpc#svc_proj_admins

The correct answer is b

The right one is b on my thinking, but i need to enable the other team to do the jobs, falls into D